Description
A vulnerability was identified in Totolink A8000R 5.9c.681_B20180413. This issue affects the function setLanguageCfg of the file /cgi-bin/cstecgi.cgi. Such manipulation of the argument langType leads to missing authentication. The attack can be launched remotely. The exploit is publicly available and might be used.
Published: 2026-04-06
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authentication Bypass
Action: Immediate Patch
AI Analysis

Impact

A vulnerability in Totolink A8000R firmware 5.9c.681_B20180413 allows an attacker to manipulate the langType argument in the setLanguageCfg function of /cgi-bin/cstecgi.cgi, resulting in missing authentication. This flaw can enable unauthorized configuration changes without credential verification, potentially elevating an attacker’s privileges within the device’s administrative interface.

Affected Systems

The affected system is the Totolink A8000R router running firmware version 5.9c.681_B20180413. Users of this device with the specified firmware should verify whether their unit is running the vulnerable build.

Risk and Exploitability

The vulnerability carries a CVSS score of 6.9, indicating moderate severity. While the EPSS score is unavailable, publicly documented exploits indicate that it can be launched remotely, and no special local conditions are required. The flaw is not listed in the CISA Known Exploited Vulnerabilities catalog, but the presence of publicly available exploitation code increases the likelihood of real‑world attacks.

Generated by OpenCVE AI on April 7, 2026 at 02:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware update for Totolink A8000R that addresses the setLanguageCfg authentication bypass.
  • If no update is available, restrict or block remote access to the /cgi-bin/cstecgi.cgi endpoint via firewall ACLs or by disabling remote management in the router settings.
  • Verify that the current language configuration matches the intended settings and check for any unauthorized changes.
  • Continuously monitor device logs for repeated attempts to modify the langType parameter and enforce strict access controls.

Generated by OpenCVE AI on April 7, 2026 at 02:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Totolink
Totolink a8000r
Vendors & Products Totolink
Totolink a8000r

Mon, 06 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in Totolink A8000R 5.9c.681_B20180413. This issue affects the function setLanguageCfg of the file /cgi-bin/cstecgi.cgi. Such manipulation of the argument langType leads to missing authentication. The attack can be launched remotely. The exploit is publicly available and might be used.
Title Totolink A8000R cstecgi.cgi setLanguageCfg missing authentication
Weaknesses CWE-287
CWE-306
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:W/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:W/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:W/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Totolink A8000r
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-07T13:39:06.999Z

Reserved: 2026-04-06T09:38:06.646Z

Link: CVE-2026-5676

cve-icon Vulnrichment

Updated: 2026-04-07T13:38:16.423Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-06T19:16:30.470

Modified: 2026-04-07T13:20:11.643

Link: CVE-2026-5676

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T09:37:49Z

Weaknesses