Cyber Resilience

CVE-2026-6026

HighRCE

Published: 10 April 2026

Published
10 April 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score v4 8.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0298 85.5th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-6026 is a high-severity Command Injection (CWE-77) vulnerability in Totolink A7100RU (inferred from references). Its CVSS base score is 8.9 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 14.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

A security flaw has been discovered in Totolink A7100RU firmware version 7.4cu.2313_b20191024. The issue resides in the setPortalConfWeChat function within the /cgi-bin/cstecgi.cgi file of the CGI Handler component, where improper handling of the enable argument permits operating system command injection. The vulnerability is tracked as CVE-2026-6026, carries a CVSS 4.0 score of 8.9, and is associated with CWE-77 and CWE-78.

An unauthenticated attacker can exploit the flaw remotely by sending a crafted request to the affected CGI endpoint, achieving arbitrary command execution on the device with no user interaction required. Public exploit code has already been released, enabling straightforward weaponization against exposed routers.

The EPSS score for this CVE rose from a low baseline to a recorded peak of 0.0125 before settling at the current value of 0.0032, indicating that exploitation interest increased after disclosure. Available references point to detailed technical write-ups on VulDB and a public GitHub repository but do not describe vendor patches or specific mitigation steps.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A security flaw has been discovered in Totolink A7100RU 7.4cu.2313_b20191024. This vulnerability affects the function setPortalConfWeChat of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Performing a manipulation of the argument enable results in os command injection. The attack can…

more

be initiated remotely. The exploit has been released to the public and may be used for attacks.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

CVE enables unauthenticated remote exploitation of a public-facing web application (T1190) leading to arbitrary OS command execution on a likely Unix/Linux-based router (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-7204Shared CWE-77, CWE-78
CVE-2026-2152Shared CWE-77, CWE-78
CVE-2026-5677Shared CWE-77, CWE-78
CVE-2026-2157Shared CWE-77, CWE-78
CVE-2026-7136Shared CWE-77, CWE-78
CVE-2026-7121Shared CWE-77, CWE-78
CVE-2026-9387Shared CWE-77, CWE-78
CVE-2026-9477Shared CWE-77, CWE-78
CVE-2026-2063Shared CWE-77, CWE-78
CVE-2026-2847Shared CWE-77, CWE-78

Affected Assets

Totolink
A7100RU
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of the 'enable' argument in setPortalConfWeChat to block OS command injection via the CGI endpoint.

prevent

Enforces access-control policy on /cgi-bin/cstecgi.cgi so that unauthenticated remote requests cannot reach the vulnerable function.

prevent

Boundary-protection mechanisms can restrict or deny external access to the router's management CGI interface, limiting remote exploit reach.

References