CVE-2026-6158
Published: 13 April 2026
Summary
CVE-2026-6158 is a high-severity Command Injection (CWE-77) vulnerability in Totolink N300RH (inferred from references). Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 10.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Validates the FileName argument passed to setUpgradeUboot in upgrade.so to prevent OS command injection payloads.
Remediates the command injection flaw by installing vendor firmware patches or updates for the Totolink N300RH.
Enforces access controls requiring authentication for the vulnerable upgrade endpoint, blocking unauthenticated remote exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection in public-facing router web interface directly enables T1190 for remote exploitation and T1059.004 for Unix shell command execution.
NVD Description
A flaw has been found in Totolink N300RH 6.1c.1353_B20190305. Affected is the function setUpgradeUboot of the file upgrade.so. This manipulation of the argument FileName causes os command injection. The attack is possible to be carried out remotely. The exploit has…
more
been published and may be used.
Deeper analysisAI
CVE-2026-6158 is an OS command injection vulnerability in the Totolink N300RH router running firmware version 6.1c.1353_B20190305. The flaw resides in the setUpgradeUboot function within the upgrade.so file, where manipulation of the FileName argument enables arbitrary command execution. Associated with CWE-77 and CWE-78, it carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating high severity due to its remote exploitability.
The vulnerability can be exploited remotely by unauthenticated attackers over the network with low complexity and no user interaction required. Successful exploitation allows limited impacts including low-level confidentiality, integrity, and availability violations, such as executing arbitrary OS commands on the device.
References include a public proof-of-concept exploit on GitHub demonstrating remote code execution (RCE) via the vulnerable endpoint, along with VulDB entries detailing the issue. The Totolink vendor website is listed, though specific patch or mitigation guidance is not detailed in available sources. Security practitioners should isolate affected devices and monitor for exploitation attempts given the published exploit.
Details
- CWE(s)