CVE-2026-7633 Overview
CVE-2026-7633 is a file inclusion vulnerability affecting TOTOLINK N300RH firmware version 6.1c.1353_B20190305. The flaw resides in the setUploadSetting function within /cgi-bin/cstecgi.cgi, where the FileName argument is not properly sanitized before being used in a file operation. Remote attackers can manipulate the parameter to include unintended files on the device. The issue is tracked under CWE-73: External Control of File Name or Path. A public proof-of-concept exists, increasing the likelihood of opportunistic exploitation against exposed routers.
Critical Impact
Unauthenticated remote attackers can manipulate the FileName parameter to trigger file inclusion against the router's CGI handler, exposing limited integrity and availability impact on affected devices.
Affected Products
- TOTOLINK N300RH router
- Firmware version 6.1c.1353_B20190305
- /cgi-bin/cstecgi.cgi handler exposing setUploadSetting
Discovery Timeline
- 2026-05-02 - CVE-2026-7633 published to NVD
- 2026-05-05 - Last updated in NVD database
Technical Details for CVE-2026-7633
Vulnerability Analysis
The vulnerability exists in the setUploadSetting function exposed through the CGI binary /cgi-bin/cstecgi.cgi on the TOTOLINK N300RH router. The handler accepts a user-controlled FileName argument and uses it in a file operation without sufficient validation. An attacker can supply crafted path values to influence which file the function processes. Public proof-of-concept code is hosted on a GitHub PoC repository, and additional metadata is tracked at VulDB Vulnerability #360579. The EPSS probability is currently 0.12%, reflecting limited observed exploitation activity at this time.
Root Cause
The root cause is improper external control of a file name or path [CWE-73]. The setUploadSetting function trusts attacker-supplied input for the FileName parameter and passes it into a file API without canonicalization, allowlisting, or directory restriction. As a result, supplied values can reference files outside the intended scope.
Attack Vector
The attack is performed remotely over the network and requires no authentication or user interaction. An attacker sends an HTTP request to /cgi-bin/cstecgi.cgi invoking the setUploadSetting function with a crafted FileName value. The exploitation mechanism is documented in the public proof-of-concept; refer to the linked repository for technical reproduction details rather than synthetic code.
Detection Methods for CVE-2026-7633
Indicators of Compromise
- HTTP POST requests to /cgi-bin/cstecgi.cgi containing the setUploadSetting topicurl value combined with anomalous FileName parameters.
- FileName argument values containing path traversal sequences such as ../ or absolute paths to system files.
- Unexpected file access patterns or modifications on the router's filesystem originating from the CGI process.
Detection Strategies
- Inspect inbound HTTP traffic to TOTOLINK management interfaces for requests targeting setUploadSetting from untrusted source addresses.
- Deploy network IDS signatures matching cstecgi.cgi requests with suspicious FileName payloads.
- Correlate router log output with edge firewall telemetry to identify anomalous CGI invocations.
Monitoring Recommendations
- Monitor for management interfaces of TOTOLINK N300RH devices reachable from the public internet.
- Alert on repeated failed or malformed HTTP requests against /cgi-bin/cstecgi.cgi.
- Track configuration drift on router firmware to detect unauthorized changes following exploitation attempts.
How to Mitigate CVE-2026-7633
Immediate Actions Required
- Restrict access to the router's web management interface to trusted internal networks only.
- Disable remote WAN-side administration on affected TOTOLINK N300RH devices.
- Audit router logs for prior exploitation attempts targeting setUploadSetting.
Patch Information
No vendor patch has been published in the referenced advisories at the time of writing. Consult the TOTOLINK Official Website for firmware updates and replace end-of-life hardware with supported models if no fix is released.
Workarounds
- Place the affected device behind a network segmentation boundary that blocks unsolicited inbound HTTP/HTTPS traffic.
- Apply ACLs on upstream firewalls to drop external requests to the router's CGI endpoints.
- Rotate administrative credentials and enforce strong passwords to limit follow-on access if exploitation is suspected.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
