CVE-2026-7538 - Vulnerability Details

- Totolink A8000RU CGI cstecgi.cgi vulnerability os command injection

Description

A vulnerability was identified in Totolink A8000RU 7.1cu.643_b20200521. This issue affects the function Vulnerability of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument proto leads to os command injection. The attack may be initiated remotely. The exploit is publicly available and might be used.

Published: 2026-05-01

Score: 9.3 Critical

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerable CGI script cstecgi.cgi in the Totolink A8000RU firmware accepts a proto argument and passes it directly to the operating system for execution. This flaw permits an attacker to inject arbitrary shell commands into the proto field, leading to full remote code execution on the device. The impact is severe, compromising confidentiality, integrity, and availability of the affected router. The weakness is a classic command injection vulnerability (CWE-77/78).

Affected Systems

The issue affects the Totolink A8000RU model running firmware version 7.1cu.643_b20200521. No other devices or firmware versions are listed as affected. Administrators should verify that their routers are running this specific firmware build before taking remedial action.

Risk and Exploitability

The CVSS score of 9.3 reflects high exploitation risk. The EPSS score is not available, but the vulnerability is publicly documented and the exploit is reported as publicly available. The vulnerability can be triggered remotely without authentication, and the attacker can send a crafted request to the /cgi-bin/cstecgi.cgi endpoint to execute arbitrary commands. The lack of awareness of a KEV listing does not reduce the urgency, as the public exploits imply a realistic threat.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Totolink

A8000RU

affected

Version	Status	Constraints
`7.1cu.643_b20200521`	affected	—

No data.

Vendor Product Confidence Versions

Totolink

A8000ru

100%

Version	Status	Scheme	Platform
`7.1cu.643_b20200521`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the router to a firmware release that removes the insecure handling of the proto argument and fixes the command injection flaw; consult Totolink’s release notes or support portal for the updated firmware.
Apply network segmentation or firewall rules that block external access to the /cgi-bin/cstecgi.cgi endpoint, limiting exposure to the local network or authenticated users only.
Implement input validation or parameter whitelisting for the proto argument to eliminate the possibility of shell injection; as a temporary measure, reject or sanitize any value that includes characters such as ';', '&', or '|' that could be interpreted by the shell.

Generated by OpenCVE AI on May 1, 2026 at 04:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/Litengzheng/vuldb_new2/blob/main/A8000RU/vul_329/README.md
https://vuldb.com/submit/804321
https://vuldb.com/vuln/360354
https://vuldb.com/vuln/360354/cti
https://www.totolink.net/

History

Fri, 01 May 2026 03:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Totolink a8000ru
Vendors & Products		Totolink a8000ru

Fri, 01 May 2026 02:00:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was identified in Totolink A8000RU 7.1cu.643_b20200521. This issue affects the function Vulnerability of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument proto leads to os command injection. The attack may be initiated remotely. The exploit is publicly available and might be used.
Title		Totolink A8000RU CGI cstecgi.cgi vulnerability os command injection
First Time appeared		Totolink Totolink a8000ru Firmware
Weaknesses		CWE-77 CWE-78
CPEs		cpe:2.3:o:totolink:a8000ru_firmware::::::::
Vendors & Products		Totolink Totolink a8000ru Firmware
References		https://github.com/Litengzheng/vuldb_new2/blob/main/A8000RU/vul_329/README.md https://vuldb.com/submit/804321 https://vuldb.com/vuln/360354 https://vuldb.com/vuln/360354/cti https://www.totolink.net/
Metrics		cvssV2_0 `{'score': 10, 'vector': 'AV:N/AC:L/Au:N/C:C/I:C/A:C/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 9.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Totolink A8000ru A8000ru Firmware

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-05-01T01:30:16.768Z

Updated: 2026-05-01T01:30:16.768Z

Reserved: 2026-04-30T18:22:42.375Z

Link: CVE-2026-7538

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-01T02:16:04.533

Modified: 2026-05-01T02:16:04.533

Link: CVE-2026-7538

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-01T04:45:08Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object