Impact
The flaw resides in the setOpenVpnClientCfg function of /cgi-bin/cstecgi.cgi in Totolink A8000RU firmware 7.1cu.643_b20200521. The vulnerability allows an attacker to inject arbitrary operating system commands via manipulation of the enabled argument. Exploitation results in remote execution of shell commands, effectively compromising the device’s confidentiality, integrity and availability. The weakness is characterized by CWE-77 (OS Command Injection) and CWE-78 (OS Command Injection).
Affected Systems
Affected vendor is Totolink; product is the A8000RU router running version 7.1cu.643_b20200521 of its firmware. Any device using this model and firmware revision is susceptible. Additional hardware models or firmware revisions that do not patch this function are not identified in the current data.
Risk and Exploitability
The CVSS v3 score of 9.3 marks this as Critical. An EPSS score of 2% indicates a moderate likelihood that the vulnerability will be exploited, and the publicly disclosed exploit code further increases the realistic probability. The KEV catalog does not list this CVE, but the active exploit code and moderate EPSS score suggest a high risk of real‑world exploitation. Attackers can perform the exploit remotely through the router’s web interface without requiring local access.
OpenCVE Enrichment