CVE-2026-6112
Published: 12 April 2026
Summary
CVE-2026-6112 is a critical-severity Command Injection (CWE-77) vulnerability in Totolink A7100RU (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 20.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the OS command injection vulnerability in the setRadvdCfg function by requiring timely identification, reporting, and correction of the specific flaw.
Prevents exploitation of the command injection by validating the maxRtrAdvInterval argument in the CGI handler to block malicious input.
Detects the CVE-2026-6112 vulnerability through regular scanning of the Totolink router firmware and drives remediation to patch the exposed flaw.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote OS command injection via public-facing CGI on router directly enables T1190 (Exploit Public-Facing Application) and facilitates arbitrary Unix Shell command execution (T1059.004).
NVD Description
A weakness has been identified in Totolink A7100RU 7.4cu.2313_b20191024. Affected is the function setRadvdCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. This manipulation of the argument maxRtrAdvInterval causes os command injection. The attack can be initiated remotely. The…
more
exploit has been made available to the public and could be used for attacks.
Deeper analysisAI
CVE-2026-6112 is an OS command injection vulnerability affecting the Totolink A7100RU router on firmware version 7.4cu.2313_b20191024. The issue lies in the setRadvdCfg function of the /cgi-bin/cstecgi.cgi file within the CGI Handler component, where manipulation of the maxRtrAdvInterval argument triggers command injection. Published on 2026-04-12, it is associated with CWE-77 and CWE-78 and carries a CVSS v3.1 base score of 9.8.
The vulnerability enables remote exploitation without authentication, privileges, or user interaction (AV:N/AC:L/PR:N/UI:N/S:U), allowing attackers to achieve high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H). Successful attacks permit arbitrary OS command execution on the device.
Advisories detail the flaw on VulDB (vuln/356972 and related pages) and provide a public exploit in a GitHub repository (Litengzheng/vuldb_new). The Totolink website (totolink.net) is referenced for further information, though specific patches are not detailed in the disclosure.
The exploit is publicly available and could be used for attacks, heightening risk for unpatched Totolink A7100RU devices.
Details
- CWE(s)