CVE-2026-6138
Published: 13 April 2026
Summary
CVE-2026-6138 is a critical-severity Command Injection (CWE-77) vulnerability in Totolink A7100RU (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 20.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the OS command injection flaw in the setAccessDeviceCfg function by applying vendor firmware updates or patches.
Prevents command injection attacks by validating and sanitizing the 'mac' argument input to the vulnerable CGI handler.
Identifies the command injection vulnerability through regular scanning of the router firmware and hosted applications.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection in public-facing router CGI enables remote exploitation of public-facing application (T1190) and facilitates arbitrary OS command execution on network device (T1059.008).
NVD Description
A flaw has been found in Totolink A7100RU 7.4cu.2313_b20191024. The impacted element is the function setAccessDeviceCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. This manipulation of the argument mac causes os command injection. The attack can be initiated…
more
remotely. The exploit has been published and may be used.
Deeper analysisAI
CVE-2026-6138 is an OS command injection vulnerability affecting the Totolink A7100RU router on firmware version 7.4cu.2313_b20191024. The issue lies in the setAccessDeviceCfg function of the /cgi-bin/cstecgi.cgi file within the CGI Handler component, where manipulation of the 'mac' argument triggers command injection. Published on 2026-04-13, it is associated with CWE-77 and CWE-78.
The vulnerability enables remote exploitation by unauthenticated attackers requiring low complexity and no user interaction, per its CVSS v3.1 score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Attackers can execute arbitrary OS commands on the device, achieving high impacts on confidentiality, integrity, and availability, potentially leading to full router compromise.
Advisories and references, including a GitHub repository at https://github.com/Litengzheng/vuldb_new/blob/main/A7100RU/vul_191/README.md publishing the exploit, VULDB entries at https://vuldb.com/vuln/357002 and related pages, and the Totolink vendor site at https://www.totolink.net/, provide further details. Practitioners should review these for mitigation guidance, such as firmware updates if available from the vendor.
The exploit has been publicly released and may be used, heightening the risk of real-world attacks on unpatched devices.
Details
- CWE(s)