Impact
The vulnerability is an operating system command injection that occurs when an attacker supplies a crafted value for the wscDisabled argument to the setWiFiWpsStart function in the /cgi-bin/cstecgi.cgi CGI handler. The flaw allows arbitrary OS commands to be executed with the privileges of the router process, potentially compromising the device. The description does not specify any authentication requirement, so the risk of exploitation without prior login is not confirmed.
Affected Systems
Totolink A8000RU routers running firmware version 7.1cu.643_b20200521. No other versions or vendors are listed in the provided data.
Risk and Exploitability
The CVSS score of 9.3 indicates a critical severity, and the EPSS score of 2% suggests a low but non‑zero likelihood of exploitation. The vulnerability is not listed in CISA KEV. Attackers can exploit the flaw remotely by sending crafted requests to the router’s web interface, targeting the /cgi-bin/cstecgi.cgi endpoint. The description explicitly states the attack can be initiated remotely; however, authentication requirements are not specified, so the exact exploitation conditions remain unclear.
OpenCVE Enrichment