CVE-2026-6158 Overview
CVE-2026-6158 is an operating system (OS) command injection vulnerability in the TOTOLINK N300RH router running firmware version 6.1c.1353_B20190305. The flaw resides in the setUpgradeUboot function inside the upgrade.so shared object. Attackers can manipulate the FileName argument to inject arbitrary shell commands that the router executes in its operating context. The issue is network-reachable and requires no authentication or user interaction. A public proof-of-concept exploit has been published on GitHub, increasing the likelihood of opportunistic abuse against exposed devices.
Critical Impact
Unauthenticated remote attackers can execute arbitrary OS commands on affected TOTOLINK N300RH devices, leading to full router compromise and pivot opportunities into internal networks.
Affected Products
- TOTOLINK N300RH router
- Firmware version 6.1c.1353_B20190305
- The vulnerable component is the setUpgradeUboot function in upgrade.so
Discovery Timeline
- 2026-04-13 - CVE-2026-6158 published to the National Vulnerability Database (NVD)
- 2026-04-29 - Last updated in NVD database
Technical Details for CVE-2026-6158
Vulnerability Analysis
The vulnerability is classified under [CWE-77] Improper Neutralization of Special Elements used in a Command. The setUpgradeUboot handler in upgrade.so accepts a FileName parameter that is concatenated into a shell command string without sanitization. When an attacker supplies shell metacharacters such as backticks, semicolons, or $() constructs in FileName, the embedded payload is executed by the underlying shell.
Because router web services on embedded Linux devices typically run as root, successful injection yields full administrative control. Attackers can read configuration, dump credentials, modify firmware, enable remote access, or recruit the device into a botnet.
The Exploit Prediction Scoring System (EPSS) rates this issue at the 89.64th percentile, indicating substantially higher exploitation probability than the average disclosed CVE.
Root Cause
The root cause is missing input validation and unsafe command construction in the setUpgradeUboot function. The firmware passes user-controlled HTTP parameters directly into a system() or equivalent shell invocation. No allow-list filtering, escaping, or argv-style execution is applied to the FileName value.
Attack Vector
The attack is performed over the network against the router's management interface. A crafted HTTP request that invokes setUpgradeUboot with a malicious FileName value triggers command execution. The published proof-of-concept demonstrates remote code execution without credentials. Refer to the GitHub PoC Repository and VulDB #357038 for request structure and parameter details.
Detection Methods for CVE-2026-6158
Indicators of Compromise
- Unexpected outbound connections from the router to attacker-controlled hosts, especially TFTP, HTTP, or reverse-shell ports
- Modified /etc/, /tmp/, or NVRAM configuration entries containing injected scripts or new iptables rules
- Web request logs containing shell metacharacters such as ;, |, `, or $( in the FileName parameter of setUpgradeUboot
- Unauthorized firmware or U-Boot environment changes appearing after inbound HTTP POSTs to the upgrade endpoint
Detection Strategies
- Inspect HTTP traffic destined to the router admin interface for requests targeting setUpgradeUboot with non-filename characters in FileName
- Deploy network IDS signatures that flag command-injection metacharacters in URI parameters of TOTOLINK CGI endpoints
- Monitor DNS and NetFlow telemetry for routers initiating outbound connections, which is atypical baseline behavior
Monitoring Recommendations
- Centralize router syslog and web management logs into a SIEM for correlation and retention
- Alert on configuration drift, new processes, or firmware version changes on edge devices
- Track exposure of TOTOLINK management interfaces to the WAN using external attack-surface scans
How to Mitigate CVE-2026-6158
Immediate Actions Required
- Disable remote (WAN-side) management on the TOTOLINK N300RH and restrict the admin interface to trusted LAN segments only
- Place affected devices behind a firewall and block inbound access to the router HTTP/HTTPS administration ports
- Audit logs for prior requests to setUpgradeUboot containing suspicious FileName values and reset credentials if compromise is suspected
- Replace end-of-support hardware where the vendor does not provide a fixed firmware build
Patch Information
No vendor advisory or fixed firmware version is referenced in the NVD record at the time of publication. Consult the TOTOLINK Official Website for updated firmware availability and the VulDB #357038 CTI entry for tracking remediation status.
Workarounds
- Disable the firmware upgrade web functionality where the device configuration permits it
- Segment IoT and SOHO routers onto isolated VLANs with egress filtering to limit post-exploitation impact
- Enforce strong, unique admin credentials and rotate them after any suspected interaction with the upgrade endpoint
- Consider replacing the device with a supported model if no patch is forthcoming
# Example: block inbound access to router management on an upstream firewall
iptables -A FORWARD -p tcp -d <router_ip> --dport 80 -j DROP
iptables -A FORWARD -p tcp -d <router_ip> --dport 443 -j DROP
iptables -A FORWARD -p tcp -d <router_ip> --dport 8080 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
