Cyber Resilience

CVE-2026-6158

Medium

Published: 13 April 2026

Published
13 April 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0115 78.9th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-6158 is a medium-severity Command Injection (CWE-77) vulnerability in Totolink N300RH (inferred from references). Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 21.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

A flaw has been identified in the Totolink N300RH router running firmware version 6.1c.1353_B20190305. The issue resides in the setUpgradeUboot function within the upgrade.so component, where improper handling of the FileName argument permits operating system command injection. The vulnerability is tracked under CVE-2026-6158 and carries a CVSS v4 score of 6.9, with associated weaknesses classified as CWE-77 and CWE-78.

Remote, unauthenticated attackers can exploit the flaw over the network to execute arbitrary operating system commands. Successful exploitation grants limited effects on confidentiality, integrity, and availability of the affected device, and a publicly available proof-of-concept has already been released.

The EPSS probability currently stands at 0.0115 after reaching a peak of 0.0486, reflecting a clear upward trajectory that indicates growing exploitation interest following disclosure. Reference materials include a GitHub repository containing exploit code for the N300RH, multiple Vuldb entries, and the vendor website, though no explicit patch or mitigation guidance is detailed in the available records.

EU & UK References

Vulnerability details

A flaw has been found in Totolink N300RH 6.1c.1353_B20190305. Affected is the function setUpgradeUboot of the file upgrade.so. This manipulation of the argument FileName causes os command injection. The attack is possible to be carried out remotely. The exploit has…

more

been published and may be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

OS command injection in public-facing router web interface directly enables T1190 for remote exploitation and T1059.004 for Unix shell command execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-9454Shared CWE-77, CWE-78
CVE-2026-6116Shared CWE-77, CWE-78
CVE-2026-7138Shared CWE-77, CWE-78
CVE-2025-9387Shared CWE-77, CWE-78
CVE-2025-15472Shared CWE-77, CWE-78
CVE-2026-2260Shared CWE-77, CWE-78
CVE-2026-9385Shared CWE-77, CWE-78
CVE-2026-4465Shared CWE-77, CWE-78
CVE-2026-7125Shared CWE-77, CWE-78
CVE-2026-2210Shared CWE-77, CWE-78

Affected Assets

Totolink
N300RH
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Validates the FileName argument passed to setUpgradeUboot in upgrade.so to prevent OS command injection payloads.

prevent

Remediates the command injection flaw by installing vendor firmware patches or updates for the Totolink N300RH.

prevent

Enforces access controls requiring authentication for the vulnerable upgrade endpoint, blocking unauthenticated remote exploitation.

References