CVE-2026-6026
Published: 10 April 2026
Summary
CVE-2026-6026 is a high-severity Command Injection (CWE-77) vulnerability in Totolink A7100RU (inferred from references). Its CVSS base score is 8.9 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 14.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
A security flaw has been discovered in Totolink A7100RU firmware version 7.4cu.2313_b20191024. The issue resides in the setPortalConfWeChat function within the /cgi-bin/cstecgi.cgi file of the CGI Handler component, where improper handling of the enable argument permits operating system command injection. The vulnerability is tracked as CVE-2026-6026, carries a CVSS 4.0 score of 8.9, and is associated with CWE-77 and CWE-78.
An unauthenticated attacker can exploit the flaw remotely by sending a crafted request to the affected CGI endpoint, achieving arbitrary command execution on the device with no user interaction required. Public exploit code has already been released, enabling straightforward weaponization against exposed routers.
The EPSS score for this CVE rose from a low baseline to a recorded peak of 0.0125 before settling at the current value of 0.0032, indicating that exploitation interest increased after disclosure. Available references point to detailed technical write-ups on VulDB and a public GitHub repository but do not describe vendor patches or specific mitigation steps.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-21318
Vulnerability details
A security flaw has been discovered in Totolink A7100RU 7.4cu.2313_b20191024. This vulnerability affects the function setPortalConfWeChat of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Performing a manipulation of the argument enable results in os command injection. The attack can…
more
be initiated remotely. The exploit has been released to the public and may be used for attacks.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables unauthenticated remote exploitation of a public-facing web application (T1190) leading to arbitrary OS command execution on a likely Unix/Linux-based router (T1059.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of the 'enable' argument in setPortalConfWeChat to block OS command injection via the CGI endpoint.
Enforces access-control policy on /cgi-bin/cstecgi.cgi so that unauthenticated remote requests cannot reach the vulnerable function.
Boundary-protection mechanisms can restrict or deny external access to the router's management CGI interface, limiting remote exploit reach.