Cyber Resilience

CVE-2026-7548

HighRCE

Published: 01 May 2026

Published
01 May 2026
Modified
01 May 2026
KEV Added
Patch
CVSS Score v4 7.4 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0149 70.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-7548 is a high-severity Injection (CWE-74) vulnerability in Totolink NR1800X (inferred from references). Its CVSS base score is 7.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 29.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

A command injection vulnerability has been identified in the Totolink NR1800X router running firmware version 9.1.0u.6279_B20210910. The flaw resides in the sub_41A68C function within /cgi-bin/cstecgi.cgi and is triggered by unsanitized input to the setUssd argument, corresponding to CWE-74 and CWE-77. The issue is remotely reachable and carries a CVSS 4.0 score of 7.4.

An attacker with low-privileged network access can supply a crafted setUssd value to execute arbitrary operating-system commands on the device. Public exploit code has been released, enabling straightforward remote code execution without user interaction.

The EPSS score remains flat at 0.0190 with no material increase after disclosure. Reference links point to a proof-of-concept repository and vendor site, but no specific patch or mitigation guidance is detailed in the available information.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A vulnerability was detected in Totolink NR1800X 9.1.0u.6279_B20210910. This affects the function sub_41A68C of the file /cgi-bin/cstecgi.cgi. Performing a manipulation of the argument setUssd results in command injection. The attack is possible to be carried out remotely. The exploit is…

more

now public and may be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.008 Network Device CLI Execution
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
Why these techniques?

Command injection via web CGI on router enables exploitation of public-facing application (T1190) and arbitrary command execution on network device CLI (T1059.008).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-5030Shared CWE-74, CWE-77
CVE-2026-1638Shared CWE-74, CWE-77
CVE-2025-15357Shared CWE-74, CWE-77
CVE-2026-6989Shared CWE-74, CWE-77
CVE-2026-2530Shared CWE-74, CWE-77
CVE-2026-4228Shared CWE-74, CWE-77
CVE-2026-0581Shared CWE-74, CWE-77
CVE-2026-1125Shared CWE-74, CWE-77
CVE-2026-2527Shared CWE-74, CWE-77
CVE-2025-15137Shared CWE-74, CWE-77

Affected Assets

Totolink
NR1800X
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of untrusted input (setUssd) to the CGI function, blocking the command-injection payload before OS execution occurs.

prevent

Limits privileges of the web-server/CGI process so that even a successful setUssd injection yields minimal OS-level impact on the router.

prevent

Mandates timely application of vendor patches that eliminate the unsanitized setUssd code path in firmware 9.1.0u.6279_B20210910.

References