CVE-2026-6158
Published: 13 April 2026
Summary
CVE-2026-6158 is a medium-severity Command Injection (CWE-77) vulnerability in Totolink N300RH (inferred from references). Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 21.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
A flaw has been identified in the Totolink N300RH router running firmware version 6.1c.1353_B20190305. The issue resides in the setUpgradeUboot function within the upgrade.so component, where improper handling of the FileName argument permits operating system command injection. The vulnerability is tracked under CVE-2026-6158 and carries a CVSS v4 score of 6.9, with associated weaknesses classified as CWE-77 and CWE-78.
Remote, unauthenticated attackers can exploit the flaw over the network to execute arbitrary operating system commands. Successful exploitation grants limited effects on confidentiality, integrity, and availability of the affected device, and a publicly available proof-of-concept has already been released.
The EPSS probability currently stands at 0.0115 after reaching a peak of 0.0486, reflecting a clear upward trajectory that indicates growing exploitation interest following disclosure. Reference materials include a GitHub repository containing exploit code for the N300RH, multiple Vuldb entries, and the vendor website, though no explicit patch or mitigation guidance is detailed in the available records.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-21851
Vulnerability details
A flaw has been found in Totolink N300RH 6.1c.1353_B20190305. Affected is the function setUpgradeUboot of the file upgrade.so. This manipulation of the argument FileName causes os command injection. The attack is possible to be carried out remotely. The exploit has…
more
been published and may be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection in public-facing router web interface directly enables T1190 for remote exploitation and T1059.004 for Unix shell command execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Validates the FileName argument passed to setUpgradeUboot in upgrade.so to prevent OS command injection payloads.
Remediates the command injection flaw by installing vendor firmware patches or updates for the Totolink N300RH.
Enforces access controls requiring authentication for the vulnerable upgrade endpoint, blocking unauthenticated remote exploitation.