CVE-2026-6115
Published: 12 April 2026
Summary
CVE-2026-6115 is a critical-severity Command Injection (CWE-77) vulnerability in Totolink A7100RU (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 20.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents OS command injection by requiring validation and sanitization of inputs like the 'enable' argument to the vulnerable setAppCfg CGI function.
Addresses the specific flaw in Totolink A7100RU firmware through timely risk-based remediation such as patching.
Enforces logical access authorizations to block unauthenticated remote access to the vulnerable /cgi-bin/cstecgi.cgi endpoint.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables unauthenticated remote exploitation of a public-facing web CGI application (T1190) to inject and execute arbitrary OS commands on the network device (T1059.008).
NVD Description
A flaw has been found in Totolink A7100RU 7.4cu.2313_b20191024. This affects the function setAppCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Executing a manipulation of the argument enable can lead to os command injection. The attack may be…
more
launched remotely. The exploit has been published and may be used.
Deeper analysisAI
CVE-2026-6115 is an OS command injection vulnerability affecting the Totolink A7100RU router on firmware version 7.4cu.2313_b20191024. The issue exists in the setAppCfg function of the /cgi-bin/cstecgi.cgi file within the CGI Handler component, where manipulation of the "enable" argument enables attackers to inject and execute arbitrary operating system commands.
The vulnerability is exploitable remotely by unauthenticated attackers requiring no privileges, low complexity, and no user interaction, earning a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Successful exploitation allows high-impact compromise of confidentiality, integrity, and availability, potentially granting full control over the affected device.
Advisories from VulDB detail the remote exploitability and reference a published proof-of-concept on GitHub. Practitioners should consult the Totolink website and VulDB entries for any firmware updates or mitigation guidance, as an exploit is publicly available.
Details
- CWE(s)