Description
A flaw has been found in Totolink A8000RU 7.1cu.643_b20200521. This affects the function setWizardCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. This manipulation of the argument wizard causes os command injection. It is possible to initiate the attack remotely. The exploit has been published and may be used.
Published: 2026-04-27
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability resides in the cstecgi.cgi CGI handler on Totolink A8000RU routers. By sending a crafted request that manipulates the wizard argument, an attacker can execute arbitrary OS commands on the router. This command injection flaw allows the execution of system commands with the privileges of the CGI process, which can lead to full device compromise. The weakness is an example of CWE‑77 and CWE‑78, reflecting unsanitized command line construction.

Affected Systems

Affected is the Totolink A8000RU router running firmware version 7.1cu.643_b20200521 or any earlier build that has not been updated. No other versions or vendors are listed in the CNA data.

Risk and Exploitability

The CVSS score of 9.3 denotes critical severity. The EPSS score is not available, but the exploit has been published and is likely usable in the wild. The flaw can be exploited remotely via the HTTP interface from an external network. The impact is remote code execution with full control over the device, and the vulnerability is not currently listed in CISA’s KEV catalog.

Generated by OpenCVE AI on April 28, 2026 at 04:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware update that removes the command injection flaw.
  • Limit remote access to the router management interface to the local network or VPN only.
  • Configure firewall rules to block HTTP/HTTPS traffic to the /cgi-bin/ directory from external networks.

Generated by OpenCVE AI on April 28, 2026 at 04:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 03:00:00 +0000

Type Values Removed Values Added
First Time appeared Totolink a8000ru
Vendors & Products Totolink a8000ru

Mon, 27 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 27 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Description A flaw has been found in Totolink A8000RU 7.1cu.643_b20200521. This affects the function setWizardCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. This manipulation of the argument wizard causes os command injection. It is possible to initiate the attack remotely. The exploit has been published and may be used.
Title Totolink A8000RU CGI cstecgi.cgi setWizardCfg os command injection
First Time appeared Totolink
Totolink a8000ru Firmware
Weaknesses CWE-77
CWE-78
CPEs cpe:2.3:o:totolink:a8000ru_firmware:*:*:*:*:*:*:*:*
Vendors & Products Totolink
Totolink a8000ru Firmware
References
Metrics cvssV2_0

{'score': 10, 'vector': 'AV:N/AC:L/Au:N/C:C/I:C/A:C/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 9.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Totolink A8000ru A8000ru Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-27T16:33:13.523Z

Reserved: 2026-04-26T19:12:55.518Z

Link: CVE-2026-7121

cve-icon Vulnrichment

Updated: 2026-04-27T16:33:03.111Z

cve-icon NVD

Status : Deferred

Published: 2026-04-27T12:16:25.997

Modified: 2026-04-27T18:36:42.937

Link: CVE-2026-7121

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T04:30:21Z

Weaknesses