Impact
The vulnerability originates in the setVpnAccountCfg function of the /cgi-bin/cstecgi.cgi CGI handler in Totolink A8000RU firmware 7.1cu.643_b20200521. Unvalidated User input allows an attacker to perform OS command injection, enabling arbitrary command execution on the router. This flaw maps to CWE-77 and CWE-78 and could compromise confidentiality, integrity, and availability of the device.
Affected Systems
Affected devices are Totolink A8000RU routers running firmware version 7.1cu.643_b20200521. The issue resides in the CGI Handler component, specifically the /cgi-bin/cstecgi.cgi path. No other devices or firmware revisions are currently documented as vulnerable.
Risk and Exploitability
The CVSS score of 9.3 indicates a high severity, and the vulnerability can be triggered remotely without authentication. The EPSS score is 2%, and the public disclosure of an exploit indicates that an exploit is publicly available. Based on the description, it is inferred that adversaries may already be attempting or have access to attack tools. Because the flaw allows arbitrary command execution, any compromised router could become a pivot point for lateral movement or internet-facing exposure. The vulnerability is not listed in the CISA KEV catalog yet, but the combination of high CVSS, remote reachability, and publicly disclosed exploit increases the risk profile.
OpenCVE Enrichment