CVE-2026-7548
Command Injection in Totolink NR1800X Router
Publication date: 2026-05-01
Last updated on: 2026-05-01
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| totolink | nr1800x | 9.1.0u.6279_b20210910 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
To mitigate the CVE-2026-7548 vulnerability, immediate steps include restricting remote access to the affected Totolink NR1800X device, especially to the /cgi-bin/cstecgi.cgi endpoint.
Avoid sending or accepting requests with the 'topicurl' parameter set to 'setUssd' as this triggers the vulnerable function.
Monitor network traffic for suspicious POST requests targeting the 'setUssd' function with unusual 'ussd' parameter values that could indicate command injection attempts.
If possible, apply any available firmware updates or patches from the vendor to fix the vulnerability.
As a temporary measure, consider disabling or limiting the functionality that processes the 'setUssd' requests until a patch is applied.
Can you explain this vulnerability to me?
CVE-2026-7548 is a command injection vulnerability found in the TOTOLINK NR1800X router, specifically in the setUssd function within the /cgi-bin/cstecgi.cgi file.
The vulnerability occurs because user input from the ussd parameter is directly used in a system command without proper validation, allowing an attacker to inject and execute arbitrary commands on the device.
An attacker can exploit this remotely by sending a crafted HTTP POST request with a malicious payload in the ussd parameter, which can lead to unauthorized command execution on the router.
How can this vulnerability impact me? :
This vulnerability allows remote attackers to execute arbitrary commands on the affected TOTOLINK NR1800X router.
- Unauthorized control over the router device.
- Potential disruption of network services.
- Compromise of network security and privacy.
- Attackers could use the router as a foothold for further attacks within the network.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending a crafted HTTP POST request to the /cgi-bin/cstecgi.cgi endpoint with the topicurl parameter set to "setUssd" and the ussd parameter containing a command injection payload.
First, log in to the device to obtain a session ID. Then send the POST request with the malicious payload. If the device returns a 200 status code, it indicates the vulnerability is present.
To verify successful exploitation, check for the presence of a marker file created by the injected command, for example, /tmp/ussd_success.
- Log in to the device to get a session ID.
- Send a POST request to /cgi-bin/cstecgi.cgi with topicurl=setUssd and ussd containing a command injection payload.
- Check for HTTP 200 response status.
- Verify the presence of the marker file (e.g., /tmp/ussd_success) on the device.