Executive Summary
CVE-2026-6138 is a critical OS command injection vulnerability affecting the Totolink A7100RU router running firmware 7.4cu.2313_b20191024. The vulnerability exists in the setAccessDeviceCfg function of /cgi-bin/cstecgi.cgi. An attacker can inject arbitrary OS commands through the mac parameter, gaining unauthenticated remote code execution on the device.
CVSS Score: 9.8 (Critical)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-6138 |
| CVSS Score | 9.8 (Critical) |
| Type | OS Command Injection |
| Component | setAccessDeviceCfg in /cgi-bin/cstecgi.cgi |
| Injection Parameter | mac |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Confidentiality / Integrity / Availability | High / High / High |
| Published | 2026-04-13 |
Affected Products
| Product | Firmware Version | Status |
|---|---|---|
| Totolink A7100RU | 7.4cu.2313_b20191024 | Vulnerable — no patch available |
Technical Details
Vulnerability Mechanism
The setAccessDeviceCfg function in the Totolink A7100RU CGI handler is designed to manage access control policies for connected devices, keyed by MAC address. The mac parameter — expected to be a 48-bit hardware address in standard colon-separated format — is passed unsanitized into a shell command string. This allows attackers to embed shell metacharacters and inject arbitrary commands.
Proof-of-Concept Attack Pattern
POST /cgi-bin/cstecgi.cgi HTTP/1.1
Host: <router-ip>
Content-Type: application/x-www-form-urlencoded
action=setAccessDeviceCfg&mac=AA:BB:CC:DD:EE:FF;id;Because MAC addresses are typically treated as trusted "hardware identifiers" by firmware developers, this parameter may receive less scrutiny during development, making it a reliable injection vector.
MAC Address as an Injection Vector
MAC address parameters are particularly prone to overlooked injection vulnerabilities because:
- They appear to be a constrained format (HH:HH:HH:HH:HH:HH)
- Developers may assume the client-side UI enforces format validation
- No server-side validation or escaping is applied before shell execution
An attacker can simply bypass any client-side validation by crafting a raw HTTP POST request.
Impact Assessment
| Impact Area | Description |
|---|---|
| Remote Code Execution | Full command execution at CGI handler privilege level (typically root on embedded Linux) |
| Access Control Bypass | Attacker can modify MAC filter allowlists/blocklists, granting unauthorized LAN access |
| Credential Harvesting | Router admin password, Wi-Fi PSKs, and DDNS credentials extractable from NVRAM/config |
| Persistent Backdoor | Cron jobs, init scripts, or modified firmware can be installed for persistence |
| Network Pivoting | Router used as a beachhead to attack LAN-internal systems |
| Botnet Enrollment | Device can be co-opted into a botnet for DDoS or cryptomining |
Recommendations
Immediate Actions
- Block all external access to the router's web management port — TCP 80 and 443 should not be reachable from the WAN interface
- Verify no port-forwarding rules expose the management port — check NAT/port-forwarding configuration
- Update firmware when a patched release is published by Totolink
- Audit connected devices for signs of unauthorized access enabled via modified MAC filter rules
- Replace end-of-life devices — if this firmware is no longer supported, replace the router with an actively maintained model
Hardening Configuration
1. Disable HTTP management (use HTTPS only if required on LAN)
2. Enable MAC address filtering for management access (LAN-side admin station only)
3. Change default admin credentials to a strong, unique password
4. Disable UPnP to prevent automatic port-forwarding configuration
5. Segment IoT devices including routers onto a dedicated VLANDetection Indicators
| Indicator | Description |
|---|---|
POST to cstecgi.cgi with shell metacharacters in mac field | Active exploitation attempt |
| Unexpected access control list entries in router config | Attacker-modified device rules |
| New admin accounts or changed credentials | Post-exploitation privilege escalation |
| Unusual outbound traffic on non-standard ports | C2 communication or botnet activity |
| Router firmware version change without admin action | Firmware implant installation |
Cluster of Related Vulnerabilities
CVE-2026-6138 is part of a trio of OS command injection vulnerabilities discovered in Totolink A7100RU firmware 7.4cu.2313_b20191024:
| CVE | Function | Injection Parameter |
|---|---|---|
| CVE-2026-6131 | setTracerouteCfg | command |
| CVE-2026-6132 | setLedCfg | enable |
| CVE-2026-6138 | setAccessDeviceCfg | mac |
The breadth of affected CGI functions suggests that input sanitization is absent at the framework level throughout this firmware version, and additional undiscovered injection points likely exist.