Cyber Resilience

CVE-2026-4611

HighRCE

Published: 23 March 2026

Published
23 March 2026
Modified
03 April 2026
KEV Added
Patch
CVSS Score v4 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0303 85.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-4611 is a high-severity Command Injection (CWE-77) vulnerability in Totolink X6000R Firmware. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 14.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

A command injection vulnerability has been identified in the TOTOLINK X6000R router firmware versions 9.4.0cu.1360_B20241207 and 9.4.0cu.1498_B20250826. The flaw resides in the setLanCfg function within /usr/sbin/shttpd and is triggered by improper handling of the Hostname argument, allowing operating system command injection as classified under CWE-77 and CWE-78. The issue is remotely reachable and carries a CVSS 4.0 score of 8.6.

An authenticated administrator can supply a crafted Hostname value over the network to execute arbitrary commands on the device, resulting in full compromise of confidentiality, integrity, and availability without requiring user interaction. The attack vector is rated as network-accessible with low complexity once administrative credentials are obtained.

Public references point to VulDB entries and the vendor site but contain no explicit details on patches, firmware updates, or mitigation steps. The associated EPSS scores remain low, with a current value of 0.0124 and a peak of 0.0159, indicating limited observed exploitation interest to date.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A flaw has been found in TOTOLINK X6000R 9.4.0cu.1360_B20241207/9.4.0cu.1498_B20250826. Affected by this issue is the function setLanCfg of the file /usr/sbin/shttpd. Executing a manipulation of the argument Hostname can lead to os command injection. The attack may be launched remotely.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

The vulnerability is an OS command injection in a public-facing router web interface (/usr/sbin/shttpd setLanCfg), enabling exploitation of a public-facing application (T1190) to achieve arbitrary Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-52053Same product: Totolink X6000R
CVE-2025-11005Same product: Totolink X6000R
CVE-2025-52906Same product: Totolink X6000R
CVE-2025-70328Same product: Totolink X6000R
CVE-2025-52907Same product: Totolink X6000R
CVE-2025-2096Same vendor: Totolink
CVE-2025-1339Same vendor: Totolink
CVE-2026-3301Same vendor: Totolink
CVE-2025-2094Same vendor: Totolink
CVE-2025-1829Same vendor: Totolink

Affected Assets

totolink
x6000r firmware
9.4.0cu.1360_b20241207, 9.4.0cu.1498_b20250826

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates OS command injection by requiring validation and sanitization of untrusted inputs like the Hostname argument to the setLanCfg function.

prevent

Addresses the specific flaw in the shttpd component by requiring timely identification, reporting, and correction of vulnerabilities like CVE-2026-4611 through patching.

prevent

Limits the impact of successful command injection by enforcing least privilege, reducing the privileges available to high-privilege (PR:H) attackers exploiting the vulnerability.

References