CVE-2026-6155: Totolink A7100RU OS Command Injection via WAN Config
A critical OS command injection vulnerability has been identified in the Totolink A7100RU router, assigned CVE-2026-6155 with a CVSS score of 9.8 (Critical). The flaw exists in the setWanCfg function within the /cgi-bin/cstecgi.cgi CGI handler. An unauthenticated remote attacker can exploit the pppoeServiceName parameter to inject and execute arbitrary operating system commands on the router.
The vulnerability was published to the NIST National Vulnerability Database on April 13, 2026, and affects firmware version 7.4cu.2313.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-6155 |
| CVSS Score | 9.8 (Critical) |
| CWE Classification | CWE-78 — OS Command Injection |
| Affected Device | Totolink A7100RU |
| Affected Firmware | 7.4cu.2313 |
| Vulnerable Component | setWanCfg function in /cgi-bin/cstecgi.cgi |
| Vulnerable Parameter | pppoeServiceName |
| Attack Vector | Network — remotely exploitable |
| Authentication Required | None |
| In-the-Wild Exploitation | Not confirmed at time of disclosure |
| Published | April 13, 2026 |
Technical Analysis
The setWanCfg function in the Totolink A7100RU CGI handler manages WAN (Wide Area Network) connection configuration, including PPPoE (Point-to-Point Protocol over Ethernet) settings. PPPoE is a common broadband connection protocol used by DSL providers, and the pppoeServiceName parameter is used to configure the PPPoE service name for the WAN connection.
Root Cause
The firmware's setWanCfg implementation takes the pppoeServiceName value supplied in the HTTP request and incorporates it into a shell command — typically for configuring the PPPoE daemon or updating a configuration file — without sanitizing the input. An attacker who supplies shell metacharacters in this parameter can break out of the intended command context and inject arbitrary commands.
Exploitation Path
1. Attacker locates a Totolink A7100RU router accessible on the network
(LAN access is sufficient; WAN access if remote management is enabled)
2. Attacker crafts an HTTP POST to /cgi-bin/cstecgi.cgi with action
set to setWanCfg and injects into pppoeServiceName:
{"action":"setWanCfg","pppoeServiceName":"svc`<cmd>`"}
or
{"action":"setWanCfg","pppoeServiceName":"svc; <cmd>"}
3. Firmware passes pppoeServiceName unsanitized into a shell call
4. Injected command executes with the privileges of the web server
process — typically root on this embedded Linux device
5. Attacker achieves arbitrary remote code executionWhy pppoeServiceName Is a High-Risk Vector
WAN configuration parameters like pppoeServiceName are particularly dangerous targets for command injection because:
- They are often not scrutinized as closely as login-related parameters during security reviews
- PPPoE service names may contain a range of characters, which can make developers less likely to apply strict validation
- WAN configuration is a core function of the device and the handler is always available
This pattern — command injection via ISP or WAN configuration parameters — has been observed in multiple embedded router vulnerabilities across different vendors.
Impact
Successful exploitation allows a remote attacker to:
| Impact | Description |
|---|---|
| Remote Code Execution | Execute arbitrary commands as root on the router |
| Full Device Takeover | Modify firmware, configuration, and firewall rules |
| Traffic Interception | Redirect or monitor all network traffic through the device |
| DNS Hijacking | Alter DNS resolver settings to redirect user traffic to attacker-controlled servers |
| Botnet Enrollment | Enlist the device in a Mirai-variant or similar IoT botnet |
| Lateral Movement | Use the compromised router as a pivot to attack LAN-connected hosts |
| Persistence | Modify startup scripts to maintain access across reboots |
Affected Versions
| Device | Firmware | Vulnerable |
|---|---|---|
| Totolink A7100RU | 7.4cu.2313 | Yes |
Check the Totolink support portal for the latest firmware. No official patch was confirmed at the time of NVD publication.
Remediation
Priority Actions
1. Apply firmware updates
Check the Totolink official support page for updated firmware for the A7100RU. If a patched firmware is available, apply it during a maintenance window.
2. Disable remote management (WAN-side admin access)
If you have not explicitly enabled remote management, it may still be active in some firmware versions. Verify and disable:
Totolink A7100RU Admin Panel:
Administration → Remote Management
→ Set "Enable Remote Management" to OFF3. Network segmentation
Place IoT devices and consumer routers on a separate VLAN isolated from sensitive hosts. This limits the blast radius if the device is compromised.
4. Monitor for anomalous router behavior
# Verify your router's DNS configuration has not been altered
# Compare configured DNS servers against known-good values
nslookup example.com
# If results differ from expected, check router DNS settings
# Monitor outbound connections at the network perimeter
# for unusual connections from the router's WAN IP5. Consider device replacement
If the A7100RU firmware is no longer receiving security updates from Totolink, consider replacing the device with a router from a vendor with an active security patch program.
Relationship to CVE-2026-6154 and CVE-2026-6156
CVE-2026-6155 was disclosed alongside CVE-2026-6154 (command injection via setWizardCfg / wizard parameter) and CVE-2026-6156 (command injection via setIpQosRules / Comment parameter) — all affecting the same Totolink A7100RU CGI handler.
This cluster of vulnerabilities points to a systematic lack of input sanitization in the A7100RU's CGI handler implementation. Multiple independent functions in the same file (/cgi-bin/cstecgi.cgi) are vulnerable to the same class of attack, suggesting that the root cause is a pervasive development practice rather than an isolated oversight.
Organizations with Totolink routers in their environments should treat all three CVEs as a related set and apply mitigations for all simultaneously.
Key Takeaways
- CVE-2026-6155 is a CVSS 9.8 Critical OS command injection in the Totolink A7100RU's WAN configuration handler
- The
pppoeServiceNameparameter is passed unsanitized to a shell command, enabling unauthenticated remote code execution - This is part of a trio of CGI handler command injection CVEs (6154, 6155, 6156) all affecting the same device
- No authentication is required to exploit this vulnerability from the network
- Disable WAN-side admin access, apply available firmware updates, and consider device replacement if support has ended