Description
A security flaw has been discovered in Totolink A8000RU 7.1cu.643_b20200521. This issue affects the function setVpnPassCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument pptpPassThru results in os command injection. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks.
Published: 2026-04-26
Score: 9.3 Critical
EPSS: 1.3% Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is an OS command injection in the setVpnPassCfg function of /cgi-bin/cstecgi.cgi. By manipulating the pptpPassThru argument, an attacker can inject arbitrary operating system commands, allowing remote execution on the router.

Affected Systems

The flaw affects Totolink A8000RU devices running firmware 7.1cu.643_b20200521.

Risk and Exploitability

The CVSS score of 9.3 classifies this as a critical vulnerability. The EPSS indicator is less than 1% and it is not listed in the CISA KEV catalog. The attack is remote, requires only access to the web interface, and the exploit code has already been released publicly.

Generated by OpenCVE AI on April 28, 2026 at 05:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the router firmware to a version that removes the vulnerable setVpnPassCfg function or applies the vendor’s patch.
  • If a patch is not available, disable the VPN feature that uses pptpPassThru or block access to the /cgi-bin/cstecgi.cgi endpoint from untrusted networks.
  • Restrict management access to the device by limiting the administration interface to trusted internal IP addresses and ensure the firewall blocks all traffic to the device from the open Internet.

Generated by OpenCVE AI on April 28, 2026 at 05:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Totolink a8000ru
Vendors & Products Totolink a8000ru

Mon, 27 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sun, 26 Apr 2026 12:00:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in Totolink A8000RU 7.1cu.643_b20200521. This issue affects the function setVpnPassCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument pptpPassThru results in os command injection. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks.
Title Totolink A8000RU CGI cstecgi.cgi setVpnPassCfg os command injection
First Time appeared Totolink
Totolink a8000ru Firmware
Weaknesses CWE-77
CWE-78
CPEs cpe:2.3:o:totolink:a8000ru_firmware:*:*:*:*:*:*:*:*
Vendors & Products Totolink
Totolink a8000ru Firmware
References
Metrics cvssV2_0

{'score': 10, 'vector': 'AV:N/AC:L/Au:N/C:C/I:C/A:C/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 9.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Totolink A8000ru A8000ru Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-27T13:57:52.185Z

Reserved: 2026-04-25T15:39:20.689Z

Link: CVE-2026-7037

cve-icon Vulnrichment

Updated: 2026-04-27T13:57:46.431Z

cve-icon NVD

Status : Deferred

Published: 2026-04-26T12:16:23.173

Modified: 2026-04-27T18:50:06.087

Link: CVE-2026-7037

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T05:30:23Z

Weaknesses