CVE-2026-6156: Totolink A7100RU OS Command Injection via QoS Rules
A critical OS command injection vulnerability has been reported in the Totolink A7100RU router, tracked as CVE-2026-6156 with a CVSS score of 9.8 (Critical). The vulnerable component is the setIpQosRules function inside the /cgi-bin/cstecgi.cgi CGI handler. Manipulation of the Comment parameter enables an unauthenticated remote attacker to inject and execute arbitrary OS-level commands on the router.
This vulnerability was published to the NVD on April 13, 2026, and affects Totolink A7100RU routers running firmware 7.4cu.2313_b20191024.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-6156 |
| CVSS Score | 9.8 (Critical) |
| CWE Classification | CWE-78 — OS Command Injection |
| Affected Device | Totolink A7100RU |
| Affected Firmware | 7.4cu.2313_b20191024 |
| Vulnerable Component | setIpQosRules function in /cgi-bin/cstecgi.cgi |
| Vulnerable Parameter | Comment |
| Attack Vector | Network — remotely exploitable |
| Authentication Required | None |
| In-the-Wild Exploitation | Not confirmed at time of disclosure |
| Published | April 13, 2026 |
Technical Analysis
The setIpQosRules function is responsible for managing IP Quality of Service (QoS) rule configurations on the Totolink A7100RU. QoS rules allow administrators to prioritize or throttle traffic based on IP addresses, ports, or protocols. The Comment field is a free-text annotation field that allows users to label individual QoS rules with a descriptive note.
Root Cause
Although comment fields are often considered low-risk from a security standpoint — they don't affect functional behavior directly — in this firmware the Comment parameter value is incorporated into a shell command without input sanitization. This means injecting shell metacharacters into a seemingly benign annotation field can break out of the intended string context and execute arbitrary commands.
This type of vulnerability — command injection through a comment or label field — is a known pattern in embedded device firmware, where developers often apply input validation only to functionally significant fields while overlooking descriptive or metadata fields.
Exploitation Path
1. Attacker sends a crafted HTTP POST to /cgi-bin/cstecgi.cgi
2. The request includes the setIpQosRules action with a malicious
Comment parameter, such as:
{"action":"setIpQosRules","Comment":"test; <os_command>"}
or
{"action":"setIpQosRules","Comment":"test`<os_command>`"}
3. The firmware embeds the Comment value unsanitized into a shell
command for writing or applying the QoS rule configuration
4. Shell command injection executes the attacker-supplied commands
with the process's privileges — typically root
5. Full remote code execution is achieved without authenticationThe "Comment Field" Injection Pattern
Comment or label fields are frequently overlooked during security assessments because their purpose is decorative — they don't control device behavior directly. However, in embedded router firmware where data flows from HTTP parameters to shell commands, any unsanitized parameter — regardless of its apparent purpose — creates an injection surface.
This pattern has appeared across multiple embedded router vendors and firmware generations. The lesson for device manufacturers is that all user-supplied input must be sanitized before being passed to any shell execution context, not just functionally critical parameters.
Impact
| Impact Area | Description |
|---|---|
| Unauthenticated RCE | Execute arbitrary commands without credentials from the network |
| Root Privileges | Web server processes on embedded routers typically run as root |
| Network Takeover | Full control over routing, DNS, firewall, and NAT rules |
| Persistent Backdoor | Modify startup scripts or firmware to survive reboots |
| Traffic Manipulation | Intercept, redirect, or drop user traffic |
| Botnet Recruitment | Compromise device for inclusion in IoT botnets (e.g., Mirai variants) |
| LAN Reconnaissance | Use router shell access to scan and attack internal network hosts |
Relationship to CVE-2026-6154 and CVE-2026-6155
CVE-2026-6156 was disclosed on the same date as:
- CVE-2026-6154 — Command injection via
setWizardCfg/wizardparameter - CVE-2026-6155 — Command injection via
setWanCfg/pppoeServiceNameparameter
All three affect the Totolink A7100RU running related firmware versions, and all exploit the same /cgi-bin/cstecgi.cgi handler. The consistent pattern across three distinct CGI functions (wizard config, WAN config, and QoS rules) strongly suggests a systemic issue in the router's firmware development: user input is consistently passed to shell commands without sanitization across the codebase.
This batch disclosure may represent only a subset of command injection points in the A7100RU firmware. Organizations running this device should assume additional undisclosed vulnerabilities may exist.
Remediation
Immediate Steps
1. Firmware update
Check Totolink's official support portal for updated firmware for the A7100RU. Apply any available update that addresses these CGI handler vulnerabilities.
2. Disable WAN-facing administrative access
The risk is significantly reduced if the router's HTTP management interface is not accessible from the WAN. Disable remote management:
Totolink A7100RU Admin Panel:
Advanced → Remote Management
→ Disable remote administration
→ Save settings3. Firewall rules
If operating in an environment where firewall configuration is possible upstream of the router, block inbound access to the router's management port (typically TCP 80 and 8080) from untrusted networks.
4. Network monitoring
Watch for router compromise indicators:
# Verify DNS settings remain expected
cat /etc/resolv.conf # on LAN hosts
# Check for unexpected outbound connection from router's WAN IP
# using upstream monitoring at your ISP or firewall
# Test for unauthorized open ports on the router
nmap -p 1-10000 <router-ip>5. Replace the device if unpatched
If Totolink does not release a patch addressing CVE-2026-6154, CVE-2026-6155, and CVE-2026-6156, consider replacing the A7100RU with a router from a vendor actively maintaining security updates. Consumer routers that receive no security patches represent unacceptable risk on any network boundary.
Key Takeaways
- CVE-2026-6156 is a CVSS 9.8 Critical OS command injection in the Totolink A7100RU's QoS rule configuration handler
- The
Commentannotation field — often overlooked in security review — passes user input unsanitized to a shell command - This is the third in a trio of related CVEs (6154, 6155, 6156) disclosing command injection across multiple functions in the same A7100RU CGI handler
- The systemic pattern across all three CVEs suggests more injection points may exist in this firmware
- No authentication is required — all network-accessible A7100RU routers running affected firmware are potentially exploitable
- Disable WAN-side admin access and apply firmware updates immediately; consider device replacement if support is unavailable