Description
A vulnerability has been found in Totolink A8000RU 7.1cu.643_b20200521. This impacts the function setUPnPCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Such manipulation of the argument enable leads to os command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
Published: 2026-04-27
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote OS Command Injection
Action: Immediate Patch
AI Analysis

Impact

A command‑injection flaw exists in Totolink A8000RU’s CGI handler. The setUPnPCfg function, located in /cgi-bin/cstecgi.cgi, improperly sanitizes an argument, allowing an attacker to execute arbitrary operating‑system commands on the device. This weakness can be leveraged to take full control of the router’s firmware environment, compromising confidentiality, integrity, and availability.

Affected Systems

The vulnerability is confirmed on the Totolink A8000RU model, specifically firmware version 7.1cu.643_b20200521. Other firmware releases of the same model may also be affected if they contain the same code path, but no explicit list is provided beyond the referenced build.

Risk and Exploitability

With a CVSS base score of 9.3, the flaw is rated critical. The exploit is feasible from a remote network location by manipulating request parameters to the /cgi-bin/cstecgi.cgi endpoint, without needing local access. The EPSS score is not available, and the flaw is not currently listed in CISA’s KeV catalog, but the high severity and remote nature make it a priority threat.

Generated by OpenCVE AI on April 28, 2026 at 04:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the most recent firmware update from Totolink that addresses the command‑injection vulnerability in cstecgi.cgi.
  • Disable the UPnP functionality or block remote access to the /cgi-bin/cstecgi.cgi resource if the device is not required to expose these services externally.
  • Configure network perimeter controls (e.g., firewall, VLAN segregation) so that only trusted internal networks can reach the router’s management interface.

Generated by OpenCVE AI on April 28, 2026 at 04:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 03:00:00 +0000

Type Values Removed Values Added
First Time appeared Totolink a8000ru
Vendors & Products Totolink a8000ru

Mon, 27 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in Totolink A8000RU 7.1cu.643_b20200521. This impacts the function setUPnPCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Such manipulation of the argument enable leads to os command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
Title Totolink A8000RU CGI cstecgi.cgi setUPnPCfg os command injection
First Time appeared Totolink
Totolink a8000ru Firmware
Weaknesses CWE-77
CWE-78
CPEs cpe:2.3:o:totolink:a8000ru_firmware:*:*:*:*:*:*:*:*
Vendors & Products Totolink
Totolink a8000ru Firmware
References
Metrics cvssV2_0

{'score': 10, 'vector': 'AV:N/AC:L/Au:N/C:C/I:C/A:C/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 9.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Totolink A8000ru A8000ru Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-27T12:00:14.272Z

Reserved: 2026-04-26T19:12:59.583Z

Link: CVE-2026-7122

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-04-27T12:16:26.183

Modified: 2026-04-27T18:36:42.937

Link: CVE-2026-7122

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T04:30:21Z

Weaknesses