CVE-2026-6158
Remote OS Command Injection in Totolink N300RH Upgrade Module
Publication date: 2026-04-13
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| totolink | n300rh | 6.1c.1353_b20190305 |
| totolink | totolink_n300rh_v4 | 6.1c.1390_b20191101 |
| totolink | totolink_n300rh_v4 | 6.1c.1353 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-6158 is a remote code execution vulnerability found in the TOTOLINK N300RH V4 wireless router's web management interface. It specifically affects the setUpgradeUboot function within the upgrade.so module.
The vulnerability arises because the setUpgradeUboot handler accepts a user-controlled parameter named FileName from HTTP POST requests without any input validation or sanitization. This parameter is directly used in shell commands executed as root.
An attacker can inject arbitrary operating system commands by including shell metacharacters in the FileName parameter, leading to full system compromise without requiring any authentication or user interaction.
How can this vulnerability impact me? :
This vulnerability allows a remote attacker to execute arbitrary commands on the affected device with root privileges.
Because the exploit requires no authentication or user interaction, an attacker can fully compromise the device remotely, potentially gaining control over the router, accessing sensitive data, modifying configurations, or using the device as a foothold for further attacks.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for HTTP POST requests to the endpoint /cgi-bin/cstecgi.cgi with the parameter topicurl=setUpgradeUboot and suspicious FileName values containing shell metacharacters.
A practical detection method is to look for evidence of command injection attempts, such as unexpected files created by injected commands. For example, the proof of concept uses a FileName parameter like 123\`ls > /usr/lib/lighttpd/web/123.txt\` which creates a file listing in a web-accessible directory.
Suggested commands to detect exploitation attempts include:
- Check web server directories for unexpected files, e.g., ls /usr/lib/lighttpd/web/123.txt
- Monitor HTTP POST requests to /cgi-bin/cstecgi.cgi for topicurl=setUpgradeUboot and suspicious FileName parameters using network capture tools like tcpdump or Wireshark.
- Use grep or similar tools on router logs to find POST requests containing topicurl=setUpgradeUboot and FileName parameters with shell metacharacters.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The CVE-2026-6158 vulnerability allows unauthenticated remote attackers to execute arbitrary commands as root on affected TOTOLINK N300RH V4 devices. This critical security flaw can lead to full system compromise, unauthorized access, and potential data breaches.
Such a vulnerability can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data through adequate security controls. The ability for attackers to remotely execute commands without authentication increases the risk of unauthorized data access, modification, or exfiltration, thereby potentially violating these regulations' requirements for data confidentiality, integrity, and availability.
Therefore, affected organizations using this device without proper mitigation may face compliance issues due to the increased risk of data breaches and insufficient security measures.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Restrict access to the router's web management interface, especially the /cgi-bin/cstecgi.cgi endpoint, by limiting network exposure or using firewall rules.
- Implement strict validation and whitelisting of the FileName parameter to allow only expected filename patterns and disallow shell metacharacters.
- Avoid using shell command execution with user input; if possible, update the firmware or software to a version that fixes this vulnerability.
- Add authentication and authorization checks to sensitive upgrade endpoints to prevent unauthenticated access.
- If a firmware update is available from the vendor addressing this issue, apply it promptly.