Skip to main content

Totolink NR1800X EUVDEUVD-2026-26472

| CVE-2026-7548 HIGH
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)
2026-05-01 cna@vuldb.com
7.4
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.4 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Analysis Generated
May 01, 2026 - 03:30 vuln.today
EUVD ID Assigned
May 01, 2026 - 03:22 euvd
EUVD-2026-26472
Analysis Generated
May 01, 2026 - 03:22 vuln.today
CVE Published
May 01, 2026 - 03:16 nvd
HIGH 7.4

DescriptionCVE.org

A vulnerability was detected in Totolink NR1800X 9.1.0u.6279_B20210910. This affects the function sub_41A68C of the file /cgi-bin/cstecgi.cgi. Performing a manipulation of the argument setUssd results in command injection. The attack is possible to be carried out remotely. The exploit is now public and may be used.

AnalysisAI

Command injection in Totolink NR1800X router firmware 9.1.0u.6279_B20210910 allows authenticated remote attackers to execute arbitrary system commands via the setUssd parameter in /cgi-bin/cstecgi.cgi. Publicly available exploit code exists (POC confirmed via GitHub). EPSS data not provided, but CVSS v4.0 base score of 7.4 with low attack complexity (AC:L) and network attack vector (AV:N) indicates moderate-to-high severity for internet-facing devices with default credentials or weak authentication.

Technical ContextAI

This vulnerability affects the cstecgi.cgi web interface component (function sub_41A68C) in Totolink NR1800X router firmware version 9.1.0u.6279_B20210910. The issue is a CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) command injection flaw. The setUssd parameter in the CGI endpoint fails to properly sanitize user input before passing it to system command execution functions. CGI-based router interfaces commonly use shell commands to configure device settings, and inadequate input validation allows attackers to inject shell metacharacters (e.g., semicolons, pipes, backticks) to execute arbitrary operating system commands with the privileges of the web server process, typically root on embedded devices. The CVSS v4.0 vector indicates network-based exploitation (AV:N) with low complexity (AC:L) requiring low-privileged authentication (PR:L), resulting in high impact to confidentiality, integrity, and availability of the vulnerable component (VC:H/VI:H/VA:H) with no impact to subsequent systems (SC:N/SI:N/SA:N). The E:P metric confirms proof-of-concept exploit code exists.

RemediationAI

No vendor-released patch or updated firmware version was identified in the provided references at time of analysis. Organizations and users should immediately implement the following compensating controls in priority order: (1) Disable remote management access to the router's web interface from WAN/internet side, restricting administrative access to LAN-only connections - this eliminates the network attack vector for external attackers but does not protect against already-compromised internal systems; (2) Change default administrative credentials to strong, unique passwords of 16+ characters with mixed case, numbers, and symbols to raise the authentication barrier, though this does not eliminate risk for authenticated attackers; (3) Implement network segmentation to isolate the vulnerable router on a dedicated management VLAN with strict ACLs limiting which internal hosts can access the administrative interface; (4) Monitor router logs for unexpected command execution patterns or configuration changes, though logging capabilities on consumer routers are typically limited. For high-security environments, consider replacing the Totolink NR1800X with alternative router hardware from vendors with established security response programs until an official patch is released. Check Totolink's support site (https://www.totolink.net/) periodically for firmware updates. The GitHub POC repository at https://github.com/newym/cve/blob/main/totolink%20nr1800x%20command%20injection.md may contain additional technical details useful for detection signature development, though reviewing exploit code should be done in isolated environments only.

Share

EUVD-2026-26472 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy