Impact
A flaw in the setWiFiBasicCfg function of the /cgi-bin/cstecgi.cgi CGI script on a Totolink A8000RU router allows an attacker to manipulate the wifiOff argument and inject arbitrary operating‑system commands. The vulnerability can be triggered via a standard HTTP request to the router's web interface, enabling remote execution of commands with the privileges of the router’s web service. The impact is the potential for the attacker to alter router configuration, exfiltrate information, or otherwise compromise the device’s integrity.
Affected Systems
The issue exists in Totolink A8000RU routers running firmware version 7.1cu.643_b20200521. The vulnerable code resides in the setWiFiBasicCfg function of the /cgi-bin/cstecgi.cgi CGI handler. Users should check whether their firmware matches this build and determine if a newer release contains a fix.
Risk and Exploitability
The CVSS score of 9.3 designates this vulnerability as critical, while an EPSS score of 2% indicates a low current probability of exploitation. Nevertheless, the public availability of a working exploit and the absence of a KEV listing raise concerns for exposed routers. Because the attack requires only remote network connectivity to the router’s management interface, it is readily exploitable from outside the local network.
OpenCVE Enrichment