Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
A vulnerability was detected in Totolink NR1800X 9.1.0u.6279_B20210910. This affects the function sub_41A68C of the file /cgi-bin/cstecgi.cgi. Performing a manipulation of the argument setUssd results in command injection. The attack is possible to be carried out remotely. The exploit is now public and may be used.
AnalysisAI
Command injection in Totolink NR1800X router firmware 9.1.0u.6279_B20210910 allows authenticated remote attackers to execute arbitrary system commands via the setUssd parameter in /cgi-bin/cstecgi.cgi. Publicly available exploit code exists (POC confirmed via GitHub). EPSS data not provided, but CVSS v4.0 base score of 7.4 with low attack complexity (AC:L) and network attack vector (AV:N) indicates moderate-to-high severity for internet-facing devices with default credentials or weak authentication.
Technical ContextAI
This vulnerability affects the cstecgi.cgi web interface component (function sub_41A68C) in Totolink NR1800X router firmware version 9.1.0u.6279_B20210910. The issue is a CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) command injection flaw. The setUssd parameter in the CGI endpoint fails to properly sanitize user input before passing it to system command execution functions. CGI-based router interfaces commonly use shell commands to configure device settings, and inadequate input validation allows attackers to inject shell metacharacters (e.g., semicolons, pipes, backticks) to execute arbitrary operating system commands with the privileges of the web server process, typically root on embedded devices. The CVSS v4.0 vector indicates network-based exploitation (AV:N) with low complexity (AC:L) requiring low-privileged authentication (PR:L), resulting in high impact to confidentiality, integrity, and availability of the vulnerable component (VC:H/VI:H/VA:H) with no impact to subsequent systems (SC:N/SI:N/SA:N). The E:P metric confirms proof-of-concept exploit code exists.
RemediationAI
No vendor-released patch or updated firmware version was identified in the provided references at time of analysis. Organizations and users should immediately implement the following compensating controls in priority order: (1) Disable remote management access to the router's web interface from WAN/internet side, restricting administrative access to LAN-only connections - this eliminates the network attack vector for external attackers but does not protect against already-compromised internal systems; (2) Change default administrative credentials to strong, unique passwords of 16+ characters with mixed case, numbers, and symbols to raise the authentication barrier, though this does not eliminate risk for authenticated attackers; (3) Implement network segmentation to isolate the vulnerable router on a dedicated management VLAN with strict ACLs limiting which internal hosts can access the administrative interface; (4) Monitor router logs for unexpected command execution patterns or configuration changes, though logging capabilities on consumer routers are typically limited. For high-security environments, consider replacing the Totolink NR1800X with alternative router hardware from vendors with established security response programs until an official patch is released. Check Totolink's support site (https://www.totolink.net/) periodically for firmware updates. The GitHub POC repository at https://github.com/newym/cve/blob/main/totolink%20nr1800x%20command%20injection.md may contain additional technical details useful for detection signature development, though reviewing exploit code should be done in isolated environments only.
Same technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26472