CVE-2026-6158
HIGHTotolink N300RH upgrade.so setUpgradeUboot os command injection
Title source: cnaDescription
A flaw has been found in Totolink N300RH 6.1c.1353_B20190305. Affected is the function setUpgradeUboot of the file upgrade.so. This manipulation of the argument FileName causes os command injection. The attack is possible to be carried out remotely. The exploit has been published and may be used.
References (5)
Core 5
Core References
Vdb Entry, Technical Description vdb-entry
technical-description
VDB-357038 | Totolink N300RH upgrade.so setUpgradeUboot os command injection
https://vuldb.com/vuln/357038
Signature, Permissions Required signature
permissions-required
VDB-357038 | CTI Indicators (IOB, IOC, TTP, IOA)
https://vuldb.com/vuln/357038/cti
Third Party Advisory third-party-advisory
Submit #796426 | TOTOLINK N300RH_V4 V6.1c.1353_B20190305 OS Command Injection
https://vuldb.com/submit/796426
Patch exploit
patch
https://github.com/xyh4ck/iot_poc/tree/main/TOTOLINK/N300RHv4/02_setUpgradeUboot_RCE
Product product
https://www.totolink.net/
Scores
CVSS v3
7.3
EPSS
0.0141
EPSS Percentile
69.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-77
CWE-78
Status
published
Products (1)
Totolink/N300RH
6.1c.1353_B20190305
Published
Apr 13, 2026
Tracked Since
Apr 13, 2026