Description
A vulnerability was found in Totolink A8000RU 7.1cu.643_b20200521. This vulnerability affects the function setDiagnosisCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. The manipulation of the argument ip results in os command injection. The attack can be executed remotely. The exploit has been made public and could be used.
Published: 2026-05-24
Score: 9.3 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is an OS command injection in the setDiagnosisCfg endpoint of the /cgi-bin/cstecgi.cgi script. By supplying a specially crafted value for the ip argument, an attacker can cause the firmware to execute arbitrary shell commands on the device. This allows the attacker to take full control of the router, read or modify configuration, install malware, or pivot to other devices on the network.

Affected Systems

The vulnerable firmware version is Totolink A8000RU 7.1cu.643_b20200521. The issue is found in the Web Management Interface component of the router, specifically the file /cgi-bin/cstecgi.cgi. Users of this model and firmware version are affected.

Risk and Exploitability

The CVSS score of 9.3 indicates critical severity. EPSS is not available, but the vulnerability is publicly known and can be exploited remotely via the web interface. The vulnerability is not listed in the CISA KEV catalog, but the availability of an exploit in public sources and the remote nature of the attack mean that a malicious actor could compromise the device with little effort. Information about authentication requirements is not provided in the available data.

Generated by OpenCVE AI on May 24, 2026 at 16:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware update released by Totolink that eliminates the command injection flaw.
  • If an update is not immediately available, restrict access to the router’s web management interface to trusted internal networks or disable remote management entirely.
  • Configure a firewall rule to block inbound traffic to the router’s web UI from untrusted IP ranges.

Generated by OpenCVE AI on May 24, 2026 at 16:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 24 May 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Totolink a8000ru
Vendors & Products Totolink a8000ru

Sun, 24 May 2026 14:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in Totolink A8000RU 7.1cu.643_b20200521. This vulnerability affects the function setDiagnosisCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. The manipulation of the argument ip results in os command injection. The attack can be executed remotely. The exploit has been made public and could be used.
Title Totolink A8000RU Web Management cstecgi.cgi setDiagnosisCfg os command injection
First Time appeared Totolink
Totolink a8000ru Firmware
Weaknesses CWE-77
CWE-78
CPEs cpe:2.3:o:totolink:a8000ru_firmware:*:*:*:*:*:*:*:*
Vendors & Products Totolink
Totolink a8000ru Firmware
References
Metrics cvssV2_0

{'score': 10, 'vector': 'AV:N/AC:L/Au:N/C:C/I:C/A:C/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 9.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Totolink A8000ru A8000ru Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-24T13:30:11.257Z

Reserved: 2026-05-23T15:03:05.743Z

Link: CVE-2026-9384

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-24T16:30:03Z

Weaknesses