CVE-2026-1601

MediumPublic PoC

Published: 29 January 2026

Published

29 January 2026

Modified

10 February 2026

KEV Added

—

Patch

—

CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0572 90.5th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-1601 is a medium-severity Injection (CWE-74) vulnerability in Totolink A7000R Firmware. Its CVSS base score is 6.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 9.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly requires validation and sanitization of the FileName argument in setUploadUserData to neutralize special elements and block command injection.

SI-2 Flaw Remediation good match

prevent

Mandates identification, reporting, and correction of the specific command injection flaw in the cstecgi.cgi script via firmware patching.

AC-6 Least Privilege partial match

prevent

Enforces least privilege on low-privilege authenticated accounts to restrict the scope and impact of injected commands executed by the vulnerable CGI process.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Direct command injection in public-facing CGI endpoint enables remote code execution by unauthenticated or low-priv attackers, matching T1190 Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A weakness has been identified in Totolink A7000R 4.1cu.4154. The impacted element is the function setUploadUserData of the file /cgi-bin/cstecgi.cgi. Executing a manipulation of the argument FileName can lead to command injection. The attack can be launched remotely. The exploit…

has been made available to the public and could be used for attacks.

Deeper analysisAI

CVE-2026-1601 is a command injection vulnerability affecting the Totolink A7000R router running firmware version 4.1cu.4154. The flaw resides in the setUploadUserData function within the /cgi-bin/cstecgi.cgi CGI script, where manipulation of the FileName argument fails to properly neutralize special elements, enabling arbitrary command execution. This issue aligns with CWE-74 (Improper Neutralization of Special Elements) and CWE-77 (Command Injection), earning a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).

The vulnerability can be exploited remotely by an authenticated attacker with low privileges, such as a standard user account on the device. Successful exploitation allows injection and execution of operating system commands, potentially resulting in limited impacts to confidentiality, integrity, and availability, including unauthorized data access, modification of system files, or denial-of-service conditions.

Public proof-of-concept exploits are available on GitHub, detailing the remote code execution (RCE) via the setUploadUserData endpoint. VulDB advisories (ctiid.343373, id.343373) document the issue, but no vendor patches or specific mitigation steps are detailed in the referenced sources. Security practitioners should isolate affected devices and monitor for anomalous CGI requests.

The exploit code has been publicly disclosed and could be adapted for real-world attacks against unpatched Totolink A7000R routers. The vulnerability was published on 2026-01-29.

Details

CWE(s): CWE-74 CWE-77

Affected Products

totolink

a7000r firmware

4.1cu.4154

CVEs Like This One

CVE-2026-1547Same product: Totolink A7000R

CVE-2026-1548Same product: Totolink A7000R

CVE-2026-1150Same vendor: Totolink

CVE-2026-1326Same vendor: Totolink

CVE-2026-5020Same vendor: Totolink

CVE-2026-1149Same vendor: Totolink

CVE-2026-5105Same vendor: Totolink

CVE-2026-5103Same vendor: Totolink

CVE-2025-7614Same vendor: Totolink

CVE-2026-0641Same vendor: Totolink

References

https://github.com/xyh4ck/iot_poc/blob/main/TOTOLINK/A7000R/03_RCE_setUploadUserData_RCE.md
Exploit, Third Party Advisory · cna@vuldb.com
https://github.com/xyh4ck/iot_poc/blob/main/TOTOLINK/A7000R/03_RCE_setUploadUserData_RCE.md#poc
Exploit · cna@vuldb.com
https://vuldb.com/?ctiid.343373
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.343373
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.740760
Third Party Advisory, VDB Entry · cna@vuldb.com
https://www.totolink.net/
Product · cna@vuldb.com
https://github.com/xyh4ck/iot_poc/blob/main/TOTOLINK/A7000R/03_RCE_setUploadUserData_RCE.md
Exploit, Third Party Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0