CVE-2026-1601
Remote Command Injection in Totolink A7000R setUploadUserData Function
Publication date: 2026-01-29
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| totolink | a7000r_firmware | 4.1cu.4154 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-1601 is a command injection vulnerability in the Totolink A7000R router (firmware version 4.1cu.4154). It exists in the function setUploadUserData within the /cgi-bin/cstecgi.cgi file. An attacker can manipulate the FileName argument to inject and execute arbitrary commands remotely without authentication. This flaw arises because the router improperly handles input, allowing special characters to alter commands executed by the system. [2, 3]
How can this vulnerability impact me? :
This vulnerability allows an attacker to remotely execute arbitrary commands on the affected router, potentially gaining full control over the device. This compromises the confidentiality, integrity, and availability of the system, enabling unauthorized access, data manipulation, or disruption of network services. Since the exploit is publicly available and easy to perform, the risk of attack is significant. [2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for HTTP POST requests to the endpoint /cgi-bin/cstecgi.cgi with the parameter setUploadUserData, especially those manipulating the FileName argument. A practical detection method is to capture and analyze network traffic for suspicious POST requests targeting this endpoint. Additionally, reviewing web server logs for unusual POST requests to /cgi-bin/cstecgi.cgi may help identify exploitation attempts. Specific commands to detect this might include using tools like curl to test the endpoint or using network monitoring tools such as tcpdump or Wireshark to capture relevant traffic. For example, a curl command to test might be: curl -X POST http://<router-ip>/cgi-bin/cstecgi.cgi -d 'action=setting/setUploadUserData&FileName=somepayload'. However, no official detection scripts or commands are provided in the resources. [2, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include discontinuing use of the affected Totolink A7000R router running firmware version 4.1cu.4154, as no known countermeasures or patches currently exist. It is recommended to replace the affected device with an alternative product. Additionally, restricting network access to the router's management interface, especially blocking remote HTTP POST requests to /cgi-bin/cstecgi.cgi, can reduce exposure. Monitoring for suspicious activity and disabling any unnecessary remote management features may also help mitigate risk until a fix is available. [3]