Description
A vulnerability was found in Totolink A8000RU 7.1cu.643_b20200521. Affected is the function setIptvCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Performing a manipulation of the argument setIptvCfg results in os command injection. The attack can be initiated remotely. The exploit has been made public and could be used.
Published: 2026-04-27
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

A vulnerability in Totolink A8000RU firmware 7.1cu.643_b20200521 allows attackers to manipulate the setIptvCfg argument of /cgi-bin/cstecgi.cgi to inject arbitrary operating system commands, resulting in remote code execution. The weakness is OS command injection, classified under CWE-77 and CWE-78.

Affected Systems

The affected product is the Totolink A8000RU router running firmware version 7.1cu.643_b20200521.

Risk and Exploitability

The CVSS score is 9.3, indicating critical severity, and the EPSS score is not available. The vulnerability is not listed in CISA KEV, but the public exploit and remote attack vector make it highly actionable. An attacker can trigger the injection via crafted CGI requests over the network.

Generated by OpenCVE AI on April 28, 2026 at 04:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor-released firmware update that mitigates the command injection in setIptvCfg.
  • Disable or block remote access to the /cgi-bin/cstecgi.cgi endpoint if the router configuration permits.
  • Regularly review system logs for suspicious CGI activity and maintain up-to-date firmware on all network devices.

Generated by OpenCVE AI on April 28, 2026 at 04:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 03:00:00 +0000

Type Values Removed Values Added
First Time appeared Totolink a8000ru
Vendors & Products Totolink a8000ru

Mon, 27 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 27 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in Totolink A8000RU 7.1cu.643_b20200521. Affected is the function setIptvCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Performing a manipulation of the argument setIptvCfg results in os command injection. The attack can be initiated remotely. The exploit has been made public and could be used.
Title Totolink A8000RU CGI cstecgi.cgi setIptvCfg os command injection
First Time appeared Totolink
Totolink a8000ru Firmware
Weaknesses CWE-77
CWE-78
CPEs cpe:2.3:o:totolink:a8000ru_firmware:*:*:*:*:*:*:*:*
Vendors & Products Totolink
Totolink a8000ru Firmware
References
Metrics cvssV2_0

{'score': 10, 'vector': 'AV:N/AC:L/Au:N/C:C/I:C/A:C/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 9.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Totolink A8000ru A8000ru Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-27T13:04:44.071Z

Reserved: 2026-04-26T19:13:02.724Z

Link: CVE-2026-7123

cve-icon Vulnrichment

Updated: 2026-04-27T13:04:39.334Z

cve-icon NVD

Status : Deferred

Published: 2026-04-27T13:16:04.660

Modified: 2026-04-27T18:36:42.937

Link: CVE-2026-7123

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T04:30:21Z

Weaknesses