This remote code execution vulnerability exists in the CGI handler of vulnerable Totolink A7100RU routers. Attackers can inject arbitrary OS commands by manipulating the pppoeServiceName argument in the setWanCfg function. The exploit has been made public, allowing low-skill actors to abuse this flaw.
Remediation
Totolink has not released an official patch for this end-of-life product. Organizations should replace vulnerable devices with supported alternative router hardware. Block all untrusted access to the router's management interface until replacement is completed.
Exploit info
The exploit has been released to the public; public references are available at https://app.opencve.io/cve/CVE-2026-6155 or https://vulners.com/cve/CVE-2026-6155. Potential exploit details can be searched in Exploit-DB or GitHub: https://www.exploit-db.com/search?cve=CVE-2026-6155 | https://github.com/search?q=CVE-2026-6155+exploit
TopVuln sends digest emails with high-risk CVE picks across multiple authoritative sources—curated with EPSS and AI. Choose daily per-stream emails and optional weekly or monthly roundups.