Home

Description

A flaw has been found in Totolink N300RH 6.1c.1353_B20190305. Affected is the function setUpgradeUboot of the file upgrade.so. This manipulation of the argument FileName causes os command injection. The attack is possible to be carried out remotely. The exploit has been published and may be used.

PUBLISHED Reserved 2026-04-12 | Published 2026-04-13 | Updated 2026-04-16 | Assigner VulDB




MEDIUM: 6.9CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
HIGH: 7.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R
HIGH: 7.3CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R
7.5AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR

Problem types

OS Command Injection

Command Injection

Product status

6.1c.1353_B20190305
affected

Timeline

2026-04-12:Advisory disclosed
2026-04-12:VulDB entry created
2026-04-12:VulDB entry last update

Credits

xuanyu (VulDB User) reporter

References

vuldb.com/vuln/357038 (VDB-357038 | Totolink N300RH upgrade.so setUpgradeUboot os command injection) vdb-entry technical-description

vuldb.com/vuln/357038/cti (VDB-357038 | CTI Indicators (IOB, IOC, TTP, IOA)) signature permissions-required

vuldb.com/submit/796426 (Submit #796426 | TOTOLINK N300RH_V4 V6.1c.1353_B20190305 OS Command Injection) third-party-advisory

github.com/.../main/TOTOLINK/N300RHv4/02_setUpgradeUboot_RCE exploit patch

www.totolink.net/ product

cve.org (CVE-2026-6158)

nvd.nist.gov (CVE-2026-6158)

Download JSON