Description
A vulnerability was determined in Totolink A8000RU 7.1cu.643_b20200521. This issue affects the function setTracerouteCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. This manipulation of the argument command causes os command injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized.
Published: 2026-05-24
Score: 9.3 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A parser bug in the setTracerouteCfg function of the /cgi-bin/cstecgi.cgi web component allows an attacker to inject arbitrary operating‑system commands. The flaw is exercised through the command argument supplied in the request, leading directly to command execution on the router’s firmware. The result is complete remote compromise: an attacker can install malware, exfiltrate configuration data, or disrupt device operation. The weakness is classified as CWE-77 and CWE-78, indicating an unsafe use of user input in a system command invocation.

Affected Systems

The vulnerability applies to the Totolink A8000RU router, specifically firmware version 7.1cu.643_b20200521. No other vendor or product versions are reported to be affected.

Risk and Exploitability

With a CVSS score of 9.3, the flaw ranks as critical, and the exploit has been publicly disclosed, meaning it is likely to be actively used. While an EPSS score is not available, the absence of a low number should not reduce the urgency. The device can be reached remotely through its web management interface, so the attack vector is remote and does not require local access. The vulnerability is not listed in the CISA KEV catalog, but its severity, public availability, and broad impact make it a high‑risk issue that requires urgent response.

Generated by OpenCVE AI on May 24, 2026 at 15:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware patch released by Totolink that removes the unsafe command parsing in cstecgi.cgi
  • If a patch is not yet available, restrict or block external access to the router’s web management interface using firewall rules or network segmentation
  • Consider disabling the traceroute configuration feature if it is not required for your network operations

Generated by OpenCVE AI on May 24, 2026 at 15:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 24 May 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Totolink a8000ru
Vendors & Products Totolink a8000ru

Sun, 24 May 2026 14:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in Totolink A8000RU 7.1cu.643_b20200521. This issue affects the function setTracerouteCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. This manipulation of the argument command causes os command injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized.
Title Totolink A8000RU Web Management cstecgi.cgi setTracerouteCfg os command injection
First Time appeared Totolink
Totolink a8000ru Firmware
Weaknesses CWE-77
CWE-78
CPEs cpe:2.3:o:totolink:a8000ru_firmware:*:*:*:*:*:*:*:*
Vendors & Products Totolink
Totolink a8000ru Firmware
References
Metrics cvssV2_0

{'score': 10, 'vector': 'AV:N/AC:L/Au:N/C:C/I:C/A:C/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 9.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Totolink A8000ru A8000ru Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-24T13:45:12.803Z

Reserved: 2026-05-23T15:03:08.392Z

Link: CVE-2026-9385

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-24T15:30:02Z

Weaknesses