Overview
CVE-2026-6115 is the fourth in a cluster of critical OS command injection vulnerabilities disclosed on 2026-04-12 for the Totolink A7100RU router firmware 7.4cu.2313_b20191024. This flaw is in the setAppCfg function of the /cgi-bin/cstecgi.cgi handler. Manipulation of the enable parameter results in OS-level command execution, remotely and without authentication.
| Field | Details |
|---|---|
| CVE ID | CVE-2026-6115 |
| CVSS Score | 9.8 (Critical) |
| Attack Vector | Network |
| Authentication | None required |
| Published | 2026-04-12 |
| Affected Product | Totolink A7100RU 7.4cu.2313_b20191024 |
Vulnerability Details
The setAppCfg function manages application-level feature toggles on the router. The enable parameter is passed to a shell function without sanitization. An attacker can inject arbitrary OS commands by embedding shell syntax into the value, gaining code execution on the device.
The absence of authentication on this CGI endpoint means exploitation requires only network access — no credentials, session tokens, or prior reconnaissance.
Affected Component
- Function:
setAppCfg - File:
/cgi-bin/cstecgi.cgi - Parameter:
enable - Injection Type: OS command injection
- Exploit publicly available: Yes
Broader Disclosure Pattern
All four CVEs in this batch (CVE-2026-6112 through CVE-2026-6115) were published on the same date and affect the same firmware. The consistent pattern — unsanitized parameters passed to system calls in setXxxCfg functions — suggests that a single researcher or automated scanner audited the CGI handler and found multiple injection points in rapid succession.
| CVE | Function | Parameter |
|---|---|---|
| CVE-2026-6112 | setRadvdCfg | maxRtrAdvInterval |
| CVE-2026-6113 | setTtyServiceCfg | ttyEnable |
| CVE-2026-6114 | setNetworkCfg | proto |
| CVE-2026-6115 | setAppCfg | enable |
This signals that additional undisclosed injection points may exist in the same codebase.
Impact
Successful exploitation of CVE-2026-6115 gives an attacker full control over the router at root level. Combined with the other three CVEs, the Totolink A7100RU on firmware 7.4cu.2313_b20191024 must be considered fully compromised if reachable from an untrusted network. Likely outcomes include:
- Persistent backdoor installation surviving reboots
- Credential harvesting (Wi-Fi PSKs, admin passwords, ISP credentials)
- DNS hijacking to redirect LAN clients to malicious infrastructure
- Botnet integration (Mirai and its variants actively target Totolink routers)
- Lateral movement into the local network
Affected Versions
| Product | Firmware | Status |
|---|---|---|
| Totolink A7100RU | 7.4cu.2313_b20191024 | Vulnerable |
No patch was confirmed at publication. Visit the Totolink support site for the latest firmware availability.
Remediation
Given the severity and number of simultaneous CVEs, treat this device as critically exposed:
- Immediately restrict network access — Firewall the management interface (port 80/443) to LAN-only trusted hosts.
- Disable remote management — Confirm WAN-side management is disabled via the router admin panel.
- Check for compromise indicators — Review logs for unexpected CGI requests, outbound connections, or modified DNS settings.
- Apply firmware update when available — Monitor Totolink's site and install any patch that addresses these CVEs.
- Plan device replacement — Four simultaneous critical CVEs in one firmware version is a strong signal of poor code quality; replacement with a well-supported router is advised for environments where security matters.
References
- NVD Entry — CVE-2026-6115
- Related: CVE-2026-6112 — setRadvdCfg injection
- Related: CVE-2026-6113 — setTtyServiceCfg injection
- Related: CVE-2026-6114 — setNetworkCfg injection