CVE-2026-7633
File Inclusion Vulnerability in Totolink N300RH Router
Publication date: 2026-05-02
Last updated on: 2026-05-05
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| totolink | n300rh | 6.1c.1353_b20190305 |
| totolink | n300rh | 6.1c.1390_b20191101 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-73 | The product allows user input to control or influence paths or file names that are used in filesystem operations. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Totolink N300RH V4 wireless router's web management interface, specifically in the setUploadSetting function. It arises because the FileName parameter is taken directly from the HTTP request without any validation or sanitization and passed to the unlink() system call. This allows an attacker to perform file inclusion and deletion by specifying arbitrary file paths, including absolute paths or path traversal sequences.
As a result, an unauthenticated remote attacker can delete arbitrary files on the device's filesystem with root privileges, potentially causing serious damage such as device bricking or denial of service.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including the deletion of critical system files on the affected device, which can lead to denial of service or complete device failure (bricking).
Because the attacker can execute these actions remotely and without authentication, it poses a significant security risk, potentially allowing full system compromise.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring HTTP requests to the vulnerable device's web management interface, specifically targeting the /cgi-bin/cstecgi.cgi endpoint with the setUploadSetting function.
You can look for suspicious HTTP requests that include the FileName parameter with path traversal sequences such as ../../../ or absolute paths that attempt to delete or access critical system files.
A simple detection method is to use network traffic capture tools like tcpdump or Wireshark to filter HTTP requests to the device and inspect for such malicious payloads.
- Example tcpdump command to capture HTTP requests to the device (replace <device_ip> with the router's IP):
- tcpdump -A -s 0 host <device_ip> and tcp port 80
You can also use curl or wget to test the vulnerability by sending crafted requests with the FileName parameter containing path traversal sequences to see if the device responds or behaves unexpectedly.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the vulnerable web management interface to trusted networks or IP addresses only.
Ensure that authentication is enforced on sensitive endpoints such as setUploadSetting to prevent unauthenticated exploitation.
If possible, update the device firmware to a version that includes validation and sanitization of the FileName parameter to prevent arbitrary file deletion.
As a temporary measure, monitor and block suspicious HTTP requests that attempt to exploit this vulnerability.
Running the web server with minimal privileges can also reduce the impact of a successful exploit.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Totolink N300RH allows unauthenticated attackers to delete arbitrary files with root privileges, potentially leading to denial of service or full system compromise.
Such a compromise could impact the confidentiality, integrity, and availability of data managed by the device, which are key principles in standards like GDPR and HIPAA.
If the device is used in environments subject to these regulations, exploitation of this vulnerability could lead to non-compliance due to potential unauthorized data manipulation or loss.