Description
A vulnerability was identified in Totolink A8000RU 7.1cu.643_b20200521. Impacted is the function setLanguageCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Such manipulation of the argument lang leads to os command injection. The attack may be performed from remote. The exploit is publicly available and might be used.
Published: 2026-05-24
Score: 9.3 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw exists in the setLanguageCfg function of the /cgi-bin/cstecgi.cgi Web Management Interface on Totolink A8000RU routers. By altering the lang argument, an attacker can inject operating‑system commands, causing the router to execute arbitrary code. The weakness is a classic command‑injection vulnerability classified as CWE‑77 and CWE‑78, and it results in full control over the device if exploited.

Affected Systems

Vulnerable only the Totolink A8000RU running firmware 7.1cu.643_b20200521. No other models or firmware releases are mentioned as affected, so devices with different firmware versions or brands are not at risk according to the current data.

Risk and Exploitability

The condition for exploitation is remote access to the router’s Web Management Interface, which is typically reachable over HTTP(S). The CVSS score of 9.3 signals a high‑severity risk, and public proof‑of‑concept exploits are available, meaning attackers can target unpatched routers without local access. Although the EPSS score is unavailable and the vulnerability is not listed in CISA’s KEV catalog, the combination of remote operability and severe impact makes the risk high and warrants immediate remediation.

Generated by OpenCVE AI on May 24, 2026 at 15:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Flash the router with the latest firmware supplied by Totolink that removes the command‑injection flaw.
  • If a firmware update is temporarily unavailable, limit access to the Web Management Interface to the internal network or localhost using firewall rules or router ACLs.
  • If the language‑setting feature is required, manually modify the /cgi-bin/cstecgi.cgi script to validate or sanitize the lang parameter before it is passed to the operating‑system command.

Generated by OpenCVE AI on May 24, 2026 at 15:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 24 May 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Totolink a8000ru
Vendors & Products Totolink a8000ru

Sun, 24 May 2026 14:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in Totolink A8000RU 7.1cu.643_b20200521. Impacted is the function setLanguageCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Such manipulation of the argument lang leads to os command injection. The attack may be performed from remote. The exploit is publicly available and might be used.
Title Totolink A8000RU Web Management cstecgi.cgi setLanguageCfg os command injection
First Time appeared Totolink
Totolink a8000ru Firmware
Weaknesses CWE-77
CWE-78
CPEs cpe:2.3:o:totolink:a8000ru_firmware:*:*:*:*:*:*:*:*
Vendors & Products Totolink
Totolink a8000ru Firmware
References
Metrics cvssV2_0

{'score': 10, 'vector': 'AV:N/AC:L/Au:N/C:C/I:C/A:C/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 9.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Totolink A8000ru A8000ru Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-24T14:00:15.705Z

Reserved: 2026-05-23T15:03:11.043Z

Link: CVE-2026-9386

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-24T16:30:03Z

Weaknesses