CVE-2026-6132
Published: 12 April 2026
Summary
CVE-2026-6132 is a critical-severity Command Injection (CWE-77) vulnerability in Totolink A7100RU (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 45.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents OS command injection by requiring validation of the untrusted 'enable' argument in the vulnerable setLedCfg CGI function.
Limits unauthenticated remote access to dangerous CGI functions like setLedCfg, preventing exploitation without identification and authentication.
Mandates timely identification, reporting, and correction of the specific command injection flaw in the Totolink router firmware.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote OS command injection via public-facing CGI interface on router directly enables T1190 (Exploit Public-Facing Application) for initial access and T1059.008 (Network Device CLI) for arbitrary command execution.
NVD Description
A vulnerability was determined in Totolink A7100RU 7.4cu.2313_b20191024. Affected by this issue is the function setLedCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. This manipulation of the argument enable causes os command injection. Remote exploitation of the attack…
more
is possible. The exploit has been publicly disclosed and may be utilized.
Deeper analysisAI
CVE-2026-6132 is an OS command injection vulnerability affecting the Totolink A7100RU router on firmware version 7.4cu.2313_b20191024. The flaw resides in the setLedCfg function within the /cgi-bin/cstecgi.cgi file of the CGI Handler component, where manipulation of the 'enable' argument triggers command injection.
Remote attackers can exploit this vulnerability without authentication or user interaction, as indicated by its CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Successful exploitation enables high-impact compromise of confidentiality, integrity, and availability, potentially allowing arbitrary OS command execution on the device. The exploit has been publicly disclosed and may be utilized.
Advisories detail the issue on VulDB at https://vuldb.com/vuln/356996 and https://vuldb.com/submit/792252, with a public exploit README available at https://github.com/Litengzheng/vuldb_new/blob/main/A7100RU/vul_183/README.md. The vendor site https://www.totolink.net/ is referenced for further information; security practitioners should consult these sources for any patch availability or mitigation steps.
The vulnerability maps to CWE-77 (Command Injection) and CWE-78 (OS Command Injection), with public disclosure of the exploit heightening the risk of active exploitation in the wild.
Details
- CWE(s)