cbcvebase.
CVE-2022-26186
published 2022-03-22

CVE-2022-26186: TOTOLINK N600R V4.3.0cu.7570_B20200620 was discovered to contain a command injection vulnerability via the exportOvpn interface at cstecgi.cgi.

PriorityP184critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
3.99%
89.2th percentile
TOTOLINK N600R V4.3.0cu.7570_B20200620 was discovered to contain a command injection vulnerability via the exportOvpn interface at cstecgi.cgi.

Affected

1 ranges
VendorProductVersion rangeFixed in
totolinkn600r_firmware

Detection & IOCsextracted from sources · hover to see the quote

url/cgi-bin/cstecgi.cgi?exportOvpn
path/cgi-bin/cstecgi.cgi
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Totolink - Command Injection Attempt Inbound (CVE-2022-26186)"; flow:established,to_server; http.uri; content:"/cgi-bin/cstecgi.cgi?exportOvpn"; fast_pattern; content:"="; pcre:"/^[^&]*[\x3b\x0a\x26\x60\x7c\x24]/R"; reference:cve,2022-26186; classtype:attempted-admin; sid:2035745; rev:3; metadata:attack_target Networking_Equipment, created_at 2022_04_05, cve CVE_2022_26186, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2024_11_29, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)
  • Exploit traffic targets HTTP URI path /cgi-bin/cstecgi.cgi?exportOvpn inbound to networking equipment; look for shell metacharacters (;, newline 0x0a, &, backtick, |, $) immediately following a parameter value in the query string.
  • The Emerging Threats rule (SID 2035745) classifies this as attempted-admin and maps to MITRE ATT&CK Lateral Movement (TA0008) / T1210 Exploitation of Remote Services, indicating the vector is network-accessible CGI on the device.
  • ·Vulnerability is specific to TOTOLINK N600R firmware version V4.3.0cu.7570_B20200620; detections should be scoped to that device/firmware version to reduce false positives.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.