Description
A vulnerability has been found in Totolink A8000RU 7.1cu.643_b20200521. This vulnerability affects the function setVpnAccountCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Such manipulation of the argument User leads to os command injection. The attack can be executed remotely. The exploit has been disclosed to the public and may be used.
Published: 2026-04-28
Score: 9.3 Critical
EPSS: 2.4% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability originates in the setVpnAccountCfg function of the /cgi-bin/cstecgi.cgi CGI handler in Totolink A8000RU firmware 7.1cu.643_b20200521. Unvalidated User input allows an attacker to perform OS command injection, enabling arbitrary command execution on the router. This flaw maps to CWE-77 and CWE-78 and could compromise confidentiality, integrity, and availability of the device.

Affected Systems

Affected devices are Totolink A8000RU routers running firmware version 7.1cu.643_b20200521. The issue resides in the CGI Handler component, specifically the /cgi-bin/cstecgi.cgi path. No other devices or firmware revisions are currently documented as vulnerable.

Risk and Exploitability

The CVSS score of 9.3 indicates a high severity, and the vulnerability can be triggered remotely without authentication. The EPSS score is 2%, and the public disclosure of an exploit indicates that an exploit is publicly available. Based on the description, it is inferred that adversaries may already be attempting or have access to attack tools. Because the flaw allows arbitrary command execution, any compromised router could become a pivot point for lateral movement or internet-facing exposure. The vulnerability is not listed in the CISA KEV catalog yet, but the combination of high CVSS, remote reachability, and publicly disclosed exploit increases the risk profile.

Generated by OpenCVE AI on June 18, 2026 at 14:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Implement input validation and sanitization for the User argument in /cgi-bin/cstecgi.cgi to mitigate OS command injection (CWE-77, CWE-78).
  • Restrict or disable remote access to the router’s cgi-bin directory or the cstecgi.cgi endpoint via network firewall rules or router configuration.
  • Restrict management traffic to trusted IP addresses and networks only.
  • If a future firmware update that addresses the command injection becomes available, apply it promptly.

Generated by OpenCVE AI on June 18, 2026 at 14:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 28 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Totolink a8000ru
Vendors & Products Totolink a8000ru

Tue, 28 Apr 2026 07:30:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in Totolink A8000RU 7.1cu.643_b20200521. This vulnerability affects the function setVpnAccountCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Such manipulation of the argument User leads to os command injection. The attack can be executed remotely. The exploit has been disclosed to the public and may be used.
Title Totolink A8000RU CGI cstecgi.cgi setVpnAccountCfg os command injection
First Time appeared Totolink
Totolink a8000ru Firmware
Weaknesses CWE-77
CWE-78
CPEs cpe:2.3:o:totolink:a8000ru_firmware:*:*:*:*:*:*:*:*
Vendors & Products Totolink
Totolink a8000ru Firmware
References
Metrics cvssV2_0

{'score': 10, 'vector': 'AV:N/AC:L/Au:N/C:C/I:C/A:C/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 9.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}


Subscriptions

Totolink A8000ru A8000ru Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-29T14:20:39.637Z

Reserved: 2026-04-27T17:22:42.637Z

Link: CVE-2026-7240

cve-icon Vulnrichment

Updated: 2026-04-29T14:20:36.026Z

cve-icon NVD

Status : Deferred

Published: 2026-04-28T08:16:02.990

Modified: 2026-06-17T11:02:03.840

Link: CVE-2026-7240

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T14:30:15Z

Weaknesses
  • CWE-77

    Improper Neutralization of Special Elements used in a Command ('Command Injection')

  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')