CVE-2026-1547 - Vulnerability Details

- Totolink A7000R cstecgi.cgi setUnloadUserData command injection

Description

A vulnerability was detected in Totolink A7000R 4.1cu.4154. This affects the function setUnloadUserData of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument plugin_name results in command injection. It is possible to launch the attack remotely. The exploit is now public and may be used.

Published: 2026-01-28

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability resides in the setUnloadUserData function of the cgi-bin/cstecgi.cgi script on the Totolink A7000R router. By manipulating the plugin_name parameter, an attacker can inject arbitrary shell commands (CWE-74), enabling remote execution of code on the device (CWE-77). This results in full compromise of the router’s operating system, granting the attacker control over configuration, network traffic, and potentially other connected devices.

Affected Systems

The affected product is the Totolink A7000R, specifically firmware version 4.1cu.4154. No other versions are indicated as vulnerable in the available data.

Risk and Exploitability

The CVSS score of 5.3 indicates a medium severity. The EPSS score is less than 1 %, indicating a low current exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. However, the publicly available exploit and the fact that the command can be injected via a web-accessible CGI script suggest a likely remote attack vector over the device’s HTTP interface. An attacker would need network access to the router or a valid session to submit the malicious plugin_name value.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Totolink

A7000R

affected

Version	Status	Constraints
`4.1cu.4154`	affected	—

Configuration 1 [-]

AND

cpe:2.3:o:totolink:a7000r_firmware:4.1cu.4154:*:*:*:*:*:*:*

cpe:2.3:h:totolink:a7000r:-:*:*:*:*:*:*:*

No data.

Vendor	Product	Confidence	Versions
Totolink	A7000r	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the router firmware to a version that eliminates the command injection flaw; verify the vendor’s latest release notes for a fix.
Restrict access to the router’s management interface by configuring firewalls or network segmentation so that only trusted administrative hosts can reach the CGI endpoint.
Implement input validation or disable the vulnerable endpoint if a patch is unavailable; sanitize or whitelist acceptable values for the plugin_name parameter to prevent injection.

Generated by OpenCVE AI on April 18, 2026 at 14:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00586.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/xyh4ck/iot_poc/blob/main/TOTOLINK/A7000R/01_RCE_setUnloadUserData_RCE.md
https://github.com/xyh4ck/iot_poc/blob/main/TOTOLINK/A7000R/01_RCE_setUnloadUserData_RCE.md#poc
https://vuldb.com/?ctiid.343231
https://vuldb.com/?id.343231
https://vuldb.com/?submit.739713
https://www.totolink.net/

History

Mon, 23 Feb 2026 09:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:o:totolink:a7000r_firmware::::::::

Mon, 09 Feb 2026 17:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Totolink a7000r Firmware
CPEs		cpe:2.3:h:totolink:a7000r:-:::::::* cpe:2.3:o:totolink:a7000r_firmware:4.1cu.4154:::::::*
Vendors & Products		Totolink a7000r Firmware

Thu, 29 Jan 2026 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 29 Jan 2026 10:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Totolink Totolink a7000r
Vendors & Products		Totolink Totolink a7000r

Wed, 28 Jan 2026 22:15:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was detected in Totolink A7000R 4.1cu.4154. This affects the function setUnloadUserData of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument plugin_name results in command injection. It is possible to launch the attack remotely. The exploit is now public and may be used.
Title		Totolink A7000R cstecgi.cgi setUnloadUserData command injection
Weaknesses		CWE-74 CWE-77
References		https://github.com/xyh4ck/iot_poc/blob/main/TOTOLINK/A7000R/01_RCE_setUnloadUserData_RCE.md https://github.com/xyh4ck/iot_poc/blob/main/TOTOLINK/A7000R/01_RCE_setUnloadUserData_RCE.md#poc https://vuldb.com/?ctiid.343231 https://vuldb.com/?id.343231 https://vuldb.com/?submit.739713 https://www.totolink.net/
Metrics		cvssV2_0 `{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Totolink A7000r A7000r Firmware

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-01-28T22:02:10.788Z

Updated: 2026-02-23T09:02:20.499Z

Reserved: 2026-01-28T15:29:16.755Z

Link: CVE-2026-1547

Vulnrichment

Updated: 2026-01-29T16:01:10.770Z

NVD

Status : Analyzed

Published: 2026-01-28T22:15:55.853

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-1547

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T14:45:03Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object