CVE-2026-6156
Published: 13 April 2026
Summary
CVE-2026-6156 is a critical-severity Command Injection (CWE-77) vulnerability in Totolink A7100RU (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 20.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates OS command injection vulnerability by requiring input validation mechanisms for the untrusted Comment argument in the setIpQosRules CGI function.
Prevents unauthenticated remote exploitation by explicitly limiting permitted actions, such as setIpQosRules, without identification or authentication on the CGI handler.
Addresses the vulnerability through identification, reporting, and timely remediation of the command injection flaw via firmware updates.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an unauthenticated OS command injection in a public-facing router web CGI interface (T1190), directly enabling arbitrary command execution on the network device CLI (T1059.008).
NVD Description
A security vulnerability has been detected in Totolink A7100RU 7.4cu.2313_b20191024. This affects the function setIpQosRules of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument Comment leads to os command injection. Remote exploitation of the attack…
more
is possible. The exploit has been disclosed publicly and may be used.
Deeper analysisAI
CVE-2026-6156 is an OS command injection vulnerability in the Totolink A7100RU router running firmware version 7.4cu.2313_b20191024. The flaw affects the setIpQosRules function in the /cgi-bin/cstecgi.cgi file of the CGI Handler component, where manipulation of the Comment argument enables injection of arbitrary operating system commands.
Remote attackers can exploit this vulnerability without authentication or user interaction, as indicated by its CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and associated CWEs-77 and CWE-78. Successful exploitation allows attackers to execute arbitrary OS commands, potentially compromising confidentiality, integrity, and availability of the affected device.
Advisories provide further details at VulDB entries (https://vuldb.com/vuln/357036, https://vuldb.com/vuln/357036/cti, https://vuldb.com/submit/793681) and a GitHub repository with the disclosed exploit (https://github.com/Litengzheng/vuldb_new/blob/main/A7100RU/vul_197/README.md). The vendor site is available at https://www.totolink.net/.
The exploit has been publicly disclosed and may be used, per the CVE description published on 2026-04-13.
Details
- CWE(s)