1,180 CVEs: Totolink Router Command Injection Campaign Dominates Week

Overview

Vuln.today data for the reporting period 2026-04-13 to 2026-04-20 identifies 1,180 published CVEs: 108 CRITICAL, 482 HIGH, 498 MEDIUM, 66 LOW, and 26 UNKNOWN severity. One CISA KEV entry is present. Public exploit code exists for 96 CVEs. Vendor-released patches are available for 606 CVEs, leaving 230 CRITICAL and HIGH severity vulnerabilities unpatched. CVE publication volume decreased 22% week-over-week (previous week: 1,516 CVEs).

Critical Threats

• CVE-2026-32201 (MEDIUM, CVSS 6.5): Improper input validation in Microsoft SharePoint Server enables network-based spoofing attacks without authentication. Affects SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition. Confirmed actively exploited (CISA KEV) with public exploit code available. Patch available per vendor advisory.
• CVE-2026-6155 (HIGH, CVSS 8.9): OS command injection in Totolink A7100RU router firmware 7.4cu.2313 allows unauthenticated remote attackers to execute arbitrary system commands via the pppoeServiceName parameter in the setWanCfg function of /cgi-bin/cstecgi.cgi. Public exploit code available (GitHub POC). No vendor-released patch identified at time of analysis. Within 24 hours: Identify and inventory all Totolik A7100RU devices in production using network scanning or device management systems; isolate affected devices from critical network segments if firmware update is unavailable.
• CVE-2026-6154 (HIGH, CVSS 8.9): OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to execute arbitrary system commands via crafted wizard parameters to the setWizardCfg CGI function. Public exploit code available (GitHub POC). No vendor-released patch identified at time of analysis. Within 24 hours: Identify and inventory all Totolik A7100RU routers in your environment using network scanning tools and confirm firmware version via device administration interfaces. Within 7 days: Isolate affected devices from untrusted networks.
• CVE-2026-6156 (HIGH, CVSS 8.9): OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to execute arbitrary system commands via the Comment parameter in the setIpQosRules function exposed through /cgi-bin/cstecgi.cgi. Public exploit code available (GitHub POC). No vendor-released patch identified at time of analysis. Within 24 hours: Identify all Totolik A7100RU devices in production using network scanning and firmware inventory tools; isolate affected units from production networks if possible. Within 7 days: Contact Totolink for available firmware updates.
• CVE-2026-6139 (HIGH, CVSS 8.9): OS command injection in Totolink A7100RU firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to execute arbitrary system commands via the FileName parameter in UploadOpenVpnCert function of /cgi-bin/cstecgi.cgi. Public exploit code available (GitHub POC). No vendor-released patch identified at time of analysis. Within 24 hours: Identify all Totolik A7100RU devices in your network and verify firmware version (7.4cu.2313_b20191024). Within 7 days: Contact Totolink for available firmware updates and test in a non-production environment.
• CVE-2026-6138 (HIGH, CVSS 8.9): OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to execute arbitrary system commands via a crafted MAC address parameter to the setAccessDeviceCfg function in /cgi-bin/cstecgi.cgi. Public exploit code available (GitHub). No vendor-released patch identified at time of analysis. Within 24 hours: identify and inventory all Totolik A7100RU routers in production, especially those accessible from the internet; isolate affected devices from management networks if firmware update is unavailable.
• CVE-2026-6140 (HIGH, CVSS 8.9): OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to execute arbitrary system commands via crafted FileName parameter to the UploadFirmwareFile function in /cgi-bin/cstecgi.cgi. Public exploit code available (GitHub). No vendor-released patch identified at time of analysis. Within 24 hours: Identify and inventory all Totolik A7100RU devices running firmware 7.4cu.2313_b20191024 in your network using asset discovery tools; isolate affected devices from production networks.
• CVE-2026-6195 (HIGH, CVSS 8.9): Command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to execute arbitrary operating system commands via the admpass parameter in the setPasswordCfg function of /cgi-bin/cstecgi.cgi. Public exploit code available. No vendor-released patch identified at time of analysis. Within 24 hours: Identify all Totolik A7100RU devices in production and document current firmware versions. Within 7 days: Isolate affected devices (firmware 7.4cu.2313_b20191024) from untrusted networks.
• CVE-2026-3830 (HIGH, CVSS 8.6): SQL injection in Product Filter for WooCommerce by WBW plugin versions below 3.1.3 allows unauthenticated remote attackers to extract sensitive database contents including user credentials, customer data, and order information. Public exploit code available. Patch available per vendor advisory. Within 24 hours: Identify all WooCommerce installations using Product Filter for WooCommerce by WBW and document current plugin version. Within 7 days: Update Product Filter for WooCommerce by WBW to version 3.1.3 or higher.
• CVE-2026-6204 (HIGH, CVSS 8.5): Remote code execution in LibreNMS network monitoring platform (versions prior to 26.3.0) allows authenticated administrators to execute arbitrary commands on the underlying web server by manipulating Binary Locations configuration settings combined with the Netcommand feature. Public exploit code available. Patch available per vendor advisory. Within 24 hours: Inventory all LibreNMS deployments and document current versions; restrict administrative access to LibreNMS to only essential personnel pending remediation. Within 7 days: Upgrade all LibreNMS instances to version 26.3.0 or later.

Threat Landscape

Microsoft leads vendor exposure with 177 CVEs, followed by Redhat (114), Suse (109), and WordPress (100). Google, Fortinet, Adobe, Dell, SAP, and Linux each account for 16-38 CVEs. Information Disclosure (272 CVEs) and Authentication Bypass (204 CVEs) dominate attack techniques, followed by RCE (145), Denial of Service (138), Buffer Overflow (136), XSS (132), and SQLi (113). Of 590 CRITICAL and HIGH severity CVEs, 230 (39%) remain unpatched. Five CVEs (CVE-2026-35546, CVE-2026-5387, CVE-2026-6284, CVE-2026-40066, CVE-2026-35682) have linked threat intelligence from MISP Galaxies, MITRE ATT&CK, or CISA sources.

Key Trends

CVE publication volume declined 22% week-over-week, from 1,516 to 1,180. Microsoft alone accounts for 15% of the week's total CVE count. Information Disclosure and Authentication Bypass techniques represent 40% of all categorized attack vectors. The dataset shows 51% patch availability (606 of 1,180 CVEs), leaving nearly half of all published vulnerabilities without vendor-released fixes. Public exploit code exists for 96 CVEs (8.1% of total), while only one CVE appears in CISA's Known Exploited Vulnerabilities catalog.

Recommendations

• Within 24 hours: Identify and inventory all Totolik A7100RU devices in production using network scanning or device management systems; isolate affected devices from critical network segments if firmware update is unavailable (CVE-2026-6155).
• Within 24 hours: Identify and inventory all Totolik A7100RU routers in your environment using network scanning tools and confirm firmware version via device administration interfaces. Within 7 days: Isolate affected devices from untrusted networks (CVE-2026-6154).
• Within 24 hours: Identify all Totolik A7100RU devices in production using network scanning and firmware inventory tools; isolate affected units from production networks if possible. Within 7 days: Contact Totolink for available firmware updates (CVE-2026-6156).
• Within 24 hours: Identify all Totolik A7100RU devices in your network and verify firmware version (7.4cu.2313_b20191024). Within 7 days: Contact Totolink for available firmware updates and test in a non-production environment (CVE-2026-6139).
• Within 24 hours: identify and inventory all Totolik A7100RU routers in production, especially those accessible from the internet; isolate affected devices from management networks if firmware update is unavailable (CVE-2026-6138).
• Within 24 hours: Identify and inventory all Totolik A7100RU devices running firmware 7.4cu.2313_b20191024 in your network using asset discovery tools; isolate affected devices from production networks (CVE-2026-6140).
• Within 24 hours: Identify all Totolik A7100RU devices in production and document current firmware versions. Within 7 days: Isolate affected devices (firmware 7.4cu.2313_b20191024) from untrusted networks (CVE-2026-6195).
• Within 24 hours: Identify all WooCommerce installations using Product Filter for WooCommerce by WBW and document current plugin version. Within 7 days: Update Product Filter for WooCommerce by WBW to version 3.1.3 or higher (CVE-2026-3830).
• Within 24 hours: Inventory all LibreNMS deployments and document current versions; restrict administrative access to LibreNMS to only essential personnel pending remediation. Within 7 days: Upgrade all LibreNMS instances to version 26.3.0 or later (CVE-2026-6204).
• Address the one CISA KEV entry (CVE-2026-32201) according to federal binding operational directive timelines.
• Prioritize remediation of 230 unpatched CRITICAL and HIGH severity vulnerabilities, focusing on assets with network exposure or those handling sensitive data.
• Review the 96 CVEs with public exploit code for presence in your environment, prioritizing those rated HIGH or CRITICAL severity.