Back

Critical Command Injection Vulnerability in Totolink A7100RU (CVE-2026-6138)

Severity: High (Score: 75.0)

Sources: Feedly, infinitsec.net, www.thehackerwire.com

Summary

A critical vulnerability, CVE-2026-6138, has been identified in the Totolink A7100RU firmware version 7.4cu.2313_b20191024. This flaw allows unauthenticated remote attackers to execute arbitrary OS commands via command injection through the setAccessDeviceCfg function in the CGI Handler component. The vulnerability is actively being exploited, with a CVSS score of 9.8 indicating its severity. No patches or mitigations are currently available, leaving devices vulnerable to complete compromise. Users are advised to restrict network access and monitor for suspicious activity. The exploit has been published, and the potential for service disruption or data breach is significant. Other related vulnerabilities, such as CVE-2026-6157 and CVE-2026-6140, were also published on the same date, indicating a broader issue with Totolink devices. Key Points: • CVE-2026-6138 allows remote command injection on Totolink A7100RU devices. • The vulnerability has a CVSS score of 9.8, indicating critical severity. • No patches are available, and the exploit is confirmed to be actively used.

Key Entities

  • Zero-day Exploit (attack_type)
  • CVE-2026-6138 (cve)
  • CVE-2026-6139 (cve)
  • CVE-2026-6140 (cve)
  • CVE-2026-6157 (cve)
  • T1059 - Command and Scripting Interpreter (mitre_attack)
  • Totolink A7100ru (platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed