Description
A security flaw has been discovered in Totolink A8000RU 7.1cu.643_b20200521. Affected is the function setAppFilterCfg of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument enable results in os command injection. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks.
Published: 2026-05-05
Score: 9.3 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the firmware of the Totolink A8000RU router allows a remote attacker to manipulate the enable argument of the cstecgi.cgi script, resulting in arbitrary operating‑system command execution. This vulnerability is classified as OS command injection, identified by CWE‑77 and CWE‑78, and carries a CVSS score of 9.3, indicating critical severity.

Affected Systems

Any A8000RU router running firmware 7.1cu.643_b20200521 is vulnerable, as the problem resides in the setAppFilterCfg function in /cgi-bin/cstecgi.cgi accessed via the web interface.

Risk and Exploitability

Exploit code has been publicly released and can be invoked remotely without local privileges, raising the real‑world likelihood of attack. The CVSS score confirms a high risk level; while no EPSS score is available, the existence of a public exploit signals that attackers can command the device at will. Although the vulnerability has not yet been listed in the CISA KEV catalog, the combination of critical severity and available exploit warrants immediate attention.

Generated by OpenCVE AI on May 5, 2026 at 06:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Totolink firmware update that patches the command‑injection flaw in setAppFilterCfg.
  • If no update is available, block external access to /cgi-bin/cstecgi.cgi by configuring firewall rules or router ACLs, preventing the CGI from being reached by remote hosts.
  • Implement input validation or strict whitelisting for the enable parameter on the router’s configuration interface so only allowed values are accepted.
  • Separate the router from critical internal networks and monitor system logs for attempts to execute shell commands via the CGI endpoint.

Generated by OpenCVE AI on May 5, 2026 at 06:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 05 May 2026 07:30:00 +0000

Type Values Removed Values Added
First Time appeared Totolink a8000ru
Vendors & Products Totolink a8000ru

Tue, 05 May 2026 05:15:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in Totolink A8000RU 7.1cu.643_b20200521. Affected is the function setAppFilterCfg of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument enable results in os command injection. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks.
Title Totolink A8000RU cstecgi.cgi setAppFilterCfg os command injection
First Time appeared Totolink
Totolink a8000ru Firmware
Weaknesses CWE-77
CWE-78
CPEs cpe:2.3:o:totolink:a8000ru_firmware:*:*:*:*:*:*:*:*
Vendors & Products Totolink
Totolink a8000ru Firmware
References
Metrics cvssV2_0

{'score': 10, 'vector': 'AV:N/AC:L/Au:N/C:C/I:C/A:C/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 9.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Totolink A8000ru A8000ru Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-05T04:45:13.416Z

Reserved: 2026-05-04T22:14:08.282Z

Link: CVE-2026-7823

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-05T05:16:01.110

Modified: 2026-05-05T05:16:01.110

Link: CVE-2026-7823

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-05T07:15:18Z

Weaknesses