Description
A vulnerability was found in Totolink A8000RU 7.1cu.643_b20200521. This issue affects the function setWiFiBasicCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Performing a manipulation of the argument wifiOff results in os command injection. The attack is possible to be carried out remotely. The exploit has been made public and could be used.
Published: 2026-04-28
Score: 9.3 Critical
EPSS: 2.4% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the setWiFiBasicCfg function of the /cgi-bin/cstecgi.cgi CGI script on a Totolink A8000RU router allows an attacker to manipulate the wifiOff argument and inject arbitrary operating‑system commands. The vulnerability can be triggered via a standard HTTP request to the router's web interface, enabling remote execution of commands with the privileges of the router’s web service. The impact is the potential for the attacker to alter router configuration, exfiltrate information, or otherwise compromise the device’s integrity.

Affected Systems

The issue exists in Totolink A8000RU routers running firmware version 7.1cu.643_b20200521. The vulnerable code resides in the setWiFiBasicCfg function of the /cgi-bin/cstecgi.cgi CGI handler. Users should check whether their firmware matches this build and determine if a newer release contains a fix.

Risk and Exploitability

The CVSS score of 9.3 designates this vulnerability as critical, while an EPSS score of 2% indicates a low current probability of exploitation. Nevertheless, the public availability of a working exploit and the absence of a KEV listing raise concerns for exposed routers. Because the attack requires only remote network connectivity to the router’s management interface, it is readily exploitable from outside the local network.

Generated by OpenCVE AI on June 18, 2026 at 14:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the router firmware to the latest version released by Totolink that fixes the command‑injection vulnerability on the A8000RU.
  • Disable or restrict remote management of the router by turning off remote administration features in the web interface or using parental controls.
  • Configure the network firewall to block HTTP/HTTPS access to the router’s management port from external networks, allowing it only from trusted internal sources.

Generated by OpenCVE AI on June 18, 2026 at 14:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 28 Apr 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Totolink a8000ru
Vendors & Products Totolink a8000ru

Tue, 28 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in Totolink A8000RU 7.1cu.643_b20200521. This issue affects the function setWiFiBasicCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Performing a manipulation of the argument wifiOff results in os command injection. The attack is possible to be carried out remotely. The exploit has been made public and could be used.
Title Totolink A8000RU CGI cstecgi.cgi setWiFiBasicCfg os command injection
First Time appeared Totolink
Totolink a8000ru Firmware
Weaknesses CWE-77
CWE-78
CPEs cpe:2.3:o:totolink:a8000ru_firmware:*:*:*:*:*:*:*:*
Vendors & Products Totolink
Totolink a8000ru Firmware
References
Metrics cvssV2_0

{'score': 10, 'vector': 'AV:N/AC:L/Au:N/C:C/I:C/A:C/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 9.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}


Subscriptions

Totolink A8000ru A8000ru Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-29T15:19:23.529Z

Reserved: 2026-04-27T17:22:46.191Z

Link: CVE-2026-7241

cve-icon Vulnrichment

Updated: 2026-04-29T15:18:41.850Z

cve-icon NVD

Status : Deferred

Published: 2026-04-28T09:16:17.457

Modified: 2026-06-17T11:02:03.960

Link: CVE-2026-7241

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T14:30:15Z

Weaknesses
  • CWE-77

    Improper Neutralization of Special Elements used in a Command ('Command Injection')

  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')