Description
A vulnerability has been found in Totolink A8000RU 7.1cu.643_b20200521. This affects the function setWiFiWpsStart of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument wscDisabled leads to os command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
Published: 2026-04-27
Score: 9.3 Critical
EPSS: 2.4% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an operating system command injection that occurs when an attacker supplies a crafted value for the wscDisabled argument to the setWiFiWpsStart function in the /cgi-bin/cstecgi.cgi CGI handler. The flaw allows arbitrary OS commands to be executed with the privileges of the router process, potentially compromising the device. The description does not specify any authentication requirement, so the risk of exploitation without prior login is not confirmed.

Affected Systems

Totolink A8000RU routers running firmware version 7.1cu.643_b20200521. No other versions or vendors are listed in the provided data.

Risk and Exploitability

The CVSS score of 9.3 indicates a critical severity, and the EPSS score of 2% suggests a low but non‑zero likelihood of exploitation. The vulnerability is not listed in CISA KEV. Attackers can exploit the flaw remotely by sending crafted requests to the router’s web interface, targeting the /cgi-bin/cstecgi.cgi endpoint. The description explicitly states the attack can be initiated remotely; however, authentication requirements are not specified, so the exact exploitation conditions remain unclear.

Generated by OpenCVE AI on June 18, 2026 at 08:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the router to a firmware version that fixes the command injection flaw. If Totolink has released an updated firmware for the A8000RU, install it immediately.
  • If no updated firmware is available, disable the WPS feature entirely through the router’s web interface to eliminate the vulnerable wscDisabled parameter, or block requests to the /cgi-bin/cstecgi.cgi endpoint.
  • Restrict external access to the router’s web interface by limiting management to trusted IPs or internal networks, and monitor logs for suspicious requests.

Generated by OpenCVE AI on June 18, 2026 at 08:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 28 Apr 2026 05:00:00 +0000

Type Values Removed Values Added
First Time appeared Totolink a8000ru
Vendors & Products Totolink a8000ru

Tue, 28 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in Totolink A8000RU 7.1cu.643_b20200521. This affects the function setWiFiWpsStart of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument wscDisabled leads to os command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
Title Totolink A8000RU CGI cstecgi.cgi setWiFiWpsStart os command injection
First Time appeared Totolink
Totolink a8000ru Firmware
Weaknesses CWE-77
CWE-78
CPEs cpe:2.3:o:totolink:a8000ru_firmware:*:*:*:*:*:*:*:*
Vendors & Products Totolink
Totolink a8000ru Firmware
References
Metrics cvssV2_0

{'score': 10, 'vector': 'AV:N/AC:L/Au:N/C:C/I:C/A:C/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 9.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}


Subscriptions

Totolink A8000ru A8000ru Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-29T14:13:11.537Z

Reserved: 2026-04-27T13:56:10.591Z

Link: CVE-2026-7202

cve-icon Vulnrichment

Updated: 2026-04-29T14:13:07.739Z

cve-icon NVD

Status : Deferred

Published: 2026-04-28T01:16:01.423

Modified: 2026-06-17T11:01:59.850

Link: CVE-2026-7202

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T08:45:03Z

Weaknesses
  • CWE-77

    Improper Neutralization of Special Elements used in a Command ('Command Injection')

  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')