Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2026-6112 -- CVSS 9.8 Vulnerability Briefing

CVE-2026-6112 | CVSS 9.8 (Critical) | Exploit: No known exploit

What Is It

CVE-2026-6112 is a critical command injection vulnerability in the Totolink A7100RU router (firmware version 7.4cu.2313_b20191024), specifically within the setRadvdCfg function of the CGI handler located at /cgi-bin/cstecgi.cgi.

Technical Detail

The flaw exists in the setRadvdCfg function, which fails to properly sanitize user-supplied input passed through the CGI interface, allowing an attacker to inject arbitrary operating system commands via a crafted HTTP request. Based on the CVSS score of 9.8 and the nature of the affected component, exploitation is likely achievable without authentication over the network, resulting in remote code execution with the privileges of the web server process, which on embedded devices of this class typically runs as root. Successful exploitation would grant an attacker full control of the affected router, enabling traffic interception, lateral movement into connected networks, or use of the device as a persistent foothold.

Exploitation Status

No known exploit code has been publicly identified at this time, and this CVE is not currently listed in the CISA Known Exploited Vulnerabilities catalog. The exploit maturity is assessed as no known exploit as of April 18, 2026. However, command injection vulnerabilities in consumer and small-business routers with publicly documented function names and firmware versions have historically been weaponized quickly once disclosed, and the low barrier to exploitation warrants proactive attention.

Who Is Targeting This

No specific threat actor attribution at this time. No campaigns or targeted sectors have been associated with this vulnerability in available intelligence. Totolink devices as a product class have previously been targeted by botnet operators, including Mirai variants, but no confirmed activity tied to this specific CVE has been reported.

What To Do

Check the Totolink vendor advisory and apply any available firmware update for the A7100RU immediately, prioritizing internet-facing deployments. If no patch is available, restrict access to the device's web management interface by disabling remote administration and limiting LAN-side access to trusted hosts only. Network defenders should monitor for anomalous outbound connections or unexpected process execution originating from the router's management IP. Organizations relying on this device in production environments should evaluate replacement with a supported device if the vendor does not issue a timely patch, given the critical severity and the unauthenticated network attack vector.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →