CVE-2022-26186
published 2022-03-22CVE-2022-26186: TOTOLINK N600R V4.3.0cu.7570_B20200620 was discovered to contain a command injection vulnerability via the exportOvpn interface at cstecgi.cgi.
PriorityP184critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
3.99%
89.2th percentile
TOTOLINK N600R V4.3.0cu.7570_B20200620 was discovered to contain a command injection vulnerability via the exportOvpn interface at cstecgi.cgi.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| totolink | n600r_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/cgi-bin/cstecgi.cgi?exportOvpn
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Totolink - Command Injection Attempt Inbound (CVE-2022-26186)"; flow:established,to_server; http.uri; content:"/cgi-bin/cstecgi.cgi?exportOvpn"; fast_pattern; content:"="; pcre:"/^[^&]*[\x3b\x0a\x26\x60\x7c\x24]/R"; reference:cve,2022-26186; classtype:attempted-admin; sid:2035745; rev:3; metadata:attack_target Networking_Equipment, created_at 2022_04_05, cve CVE_2022_26186, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2024_11_29, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)
- →Exploit traffic targets HTTP URI path /cgi-bin/cstecgi.cgi?exportOvpn inbound to networking equipment; look for shell metacharacters (;, newline 0x0a, &, backtick, |, $) immediately following a parameter value in the query string.
- →The Emerging Threats rule (SID 2035745) classifies this as attempted-admin and maps to MITRE ATT&CK Lateral Movement (TA0008) / T1210 Exploitation of Remote Services, indicating the vector is network-accessible CGI on the device.
- ·Vulnerability is specific to TOTOLINK N600R firmware version V4.3.0cu.7570_B20200620; detections should be scoped to that device/firmware version to reduce false positives. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-pm89-xmvf-hr23: TOTOLINK N600R V4
ghsa_unreviewed·2022-03-23
CVE-2022-26186 [CRITICAL] CWE-77 GHSA-pm89-xmvf-hr23: TOTOLINK N600R V4
TOTOLINK N600R V4.3.0cu.7570_B20200620 was discovered to contain a command injection vulnerability via the exportOvpn interface at cstecgi.cgi.
VulnCheck
totolink n600r_firmware Improper Neutralization of Special Elements used in a Command ('Command Injection')
vulncheck·2022·CVSS 9.8
CVE-2022-26186 [CRITICAL] totolink n600r_firmware Improper Neutralization of Special Elements used in a Command ('Command Injection')
totolink n600r_firmware Improper Neutralization of Special Elements used in a Command ('Command Injection')
TOTOLINK N600R V4.3.0cu.7570_B20200620 was discovered to contain a command injection vulnerability via the exportOvpn interface at cstecgi.cgi.
Affected: totolink n600r_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.fortinet.com/blog/threat-research/totolink-vulnerabilities-beastmode-mirai-campaign; https://www.fortinet.com/blog/threat-research/zerobot-new-go-based-botnet-campaign-targets-multiple-vulnerabilities; https://blog.netlab.360.com/new-ddos-botnet-wszeor/; https://www.microsoft.com/en-us/security/blog/2022/12/21/micro
Suricata
ET EXPLOIT Totolink - Command Injection Attempt Inbound (CVE-2022-26186)
suricata·2022-04-05·CVSS 9.8
CVE-2022-26186 [CRITICAL] ET EXPLOIT Totolink - Command Injection Attempt Inbound (CVE-2022-26186)
ET EXPLOIT Totolink - Command Injection Attempt Inbound (CVE-2022-26186)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Totolink - Command Injection Attempt Inbound (CVE-2022-26186)"; flow:established,to_server; http.uri; content:"/cgi-bin/cstecgi.cgi?exportOvpn"; fast_pattern; content:"="; pcre:"/^[^&]*[\x3b\x0a\x26\x60\x7c\x24]/R"; reference:cve,2022-26186; classtype:attempted-admin; sid:2035745; rev:3; metadata:attack_target Networking_Equipment, created_at 2022_04_05, cve CVE_2022_26186, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2024_11_29, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)
No public exploits indexed.
Fortinet
New Rust Botnet "RustoBot" is Routed via Routers | FortiGuard Labs
blogs_fortinet·2025-04-21·CVSS 9.8
[CRITICAL] New Rust Botnet "RustoBot" is Routed via Routers | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
New Rust Botnet "RustoBot" is Routed via Routers
FORTIGUARD SECURITY PORTFOLIO 2025 THREAT LANDSCAPE REPORT
Incidents
Malware Analysis
Downloader
RustoBot
Conclusion
Fortinet Protections
IOCs
By Vincent Li | April 21, 2025
Affected Platforms: TOTOLINK N600R V4.3.0cu.7570_B20200620. TOTOLINK A830R V5.9c.4729_B20191112, A3100R V4.1.2cu.5050_B20200504, A950RG V4.1.2cu.5161_B20200903, A800R V4.1.2cu.5137_B20200730, A3000RU V5.9c.5185_B20201128, and A810R V4.1.2cu.5182_B20201026. DrayTek Vigor2960 and Vigor300B 1.5.1.4.
Impacted Users: Any organization
Impact: Remote attackers gain control of the vulnerable systems
Severity Level: High
FortiGuard Labs recently discovered a new botnet propagating through TOTOLINK devices. Unlike previous malware targeting thes
Fortinet
2022 IoT Threat Review | FortiGuard Labs
blogs_fortinet·2023-01-13·CVSS 8.8
[HIGH] 2022 IoT Threat Review | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
2022 IoT Threat Review
By Eduardo Altares, Joie Salvio and Roy Tay | January 13, 2023
FortiGuard Labs monitors the IoT botnet threat landscape for new and emerging campaigns. We do this with the assistance of our honeypots we have deployed to capture active attacks in the wild. This article provides insights into the data collected from our monitoring system over the past year.
Affected Platforms: Linux
Impacted Users: Any organization
Impact: Remote attackers gain control of the vulnerable systems
Severity Level: Critical
Attack Origins
Our distributed honeypot systems allow us to capture and monitor campaigns that are actively targeting IoT devices for infection. In most cases, these devices are turned into bots used to perform Distributed Denial o
Fortinet
Fresh TOTOLINK Vulnerabilities Picked Up by Beastmode Mirai Campaign
blogs_fortinet·2022-04-01·CVSS 9.8
[CRITICAL] Fresh TOTOLINK Vulnerabilities Picked Up by Beastmode Mirai Campaign
FORTIGUARD LABS THREAT RESEARCH
Fresh TOTOLINK Vulnerabilities Picked Up by Beastmode Mirai Campaign
By Joie Salvio and Roy Tay | April 01, 2022
Between February and March 2022, our FortiGuard Labs team observed that the Beastmode (aka B3astmode) Mirai-based DDoS campaign has aggressively updated its arsenal of exploits. Five new exploits were added within a month, with three targeting various models of TOTOLINK routers.
This inclusion of TOTOLINK exploits is especially noteworthy as they were added just a week after the exploit codes were published on GitHub. We previously reported on the MANGA campaign, which similarly adopted exploit code within weeks of their release.
By rapidly adopting newly released exploit code, threat actors can potentially infect vulnerable devices and expan
2022-03-22
Published
Exploited in the wild