CVE-2026-7548
Published: 01 May 2026
Summary
CVE-2026-7548 is a high-severity Injection (CWE-74) vulnerability in Totolink NR1800X (inferred from references). Its CVSS base score is 7.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 29.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
A command injection vulnerability has been identified in the Totolink NR1800X router running firmware version 9.1.0u.6279_B20210910. The flaw resides in the sub_41A68C function within /cgi-bin/cstecgi.cgi and is triggered by unsanitized input to the setUssd argument, corresponding to CWE-74 and CWE-77. The issue is remotely reachable and carries a CVSS 4.0 score of 7.4.
An attacker with low-privileged network access can supply a crafted setUssd value to execute arbitrary operating-system commands on the device. Public exploit code has been released, enabling straightforward remote code execution without user interaction.
The EPSS score remains flat at 0.0190 with no material increase after disclosure. Reference links point to a proof-of-concept repository and vendor site, but no specific patch or mitigation guidance is detailed in the available information.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-26472
Vulnerability details
A vulnerability was detected in Totolink NR1800X 9.1.0u.6279_B20210910. This affects the function sub_41A68C of the file /cgi-bin/cstecgi.cgi. Performing a manipulation of the argument setUssd results in command injection. The attack is possible to be carried out remotely. The exploit is…
more
now public and may be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection via web CGI on router enables exploitation of public-facing application (T1190) and arbitrary command execution on network device CLI (T1059.008).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of untrusted input (setUssd) to the CGI function, blocking the command-injection payload before OS execution occurs.
Limits privileges of the web-server/CGI process so that even a successful setUssd injection yields minimal OS-level impact on the router.
Mandates timely application of vendor patches that eliminate the unsanitized setUssd code path in firmware 9.1.0u.6279_B20210910.