Critical RCE Hits Totolink Routers: CVE-2026-6156 Explained

A critical remote code execution (RCE) vulnerability, tracked as CVE-2026-6156, has been identified in the Totolink A7100RU wireless router, specifically version 7.4cu.2313_b20191024. According to the National Vulnerability Database (NVD), this flaw stems from improper handling of the Comment argument within the setIpQosRules function of the /cgi-bin/cstecgi.cgi component. This allows for OS command injection, a classic but often devastating vulnerability.

The NVD has assigned this CVE a CVSS v3.1 score of 9.8, classifying it as CRITICAL. The attack vector is network-based, requires low attack complexity, no privileges, and no user interaction, making it ripe for exploitation. What’s particularly alarming is that the exploit has been publicly disclosed, meaning threat actors can — and likely will — weaponize this against unpatched devices. This is a red flag for anyone running these devices on their network edge.

This vulnerability, categorized under CWE-77 (Improper Neutralization of Special Elements used in a Command) and CWE-78 (Improper Neutralization of Special Elements used in an OS Command), highlights a persistent issue in embedded device security. When attackers can inject arbitrary commands, they essentially own the device, gaining full control over its operations and potentially pivoting deeper into the network. This is the kind of low-hanging fruit that mass exploitation campaigns thrive on.