Description
A weakness has been identified in Totolink A8000RU 7.1cu.643_b20200521. The impacted element is the function setScheduleCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Executing a manipulation of the argument mode can lead to os command injection. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks.
Published: 2026-05-24
Score: 9.3 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A vulnerability in the setScheduleCfg function of the cstecgi.cgi web management interface allows an attacker to inject OS commands through manipulation of the mode parameter. The flaw enables remote execution of arbitrary commands, thereby compromising the confidentiality, integrity, and availability of the affected device. The CVSS score of 9.3 highlights the severity of this remote code execution.

Affected Systems

The flaw affects Totolink A8000RU routers running firmware 7.1cu.643_b20200521. All devices with this firmware and the exposed web management interface are potentially vulnerable to exploitation.

Risk and Exploitability

The vulnerability carries a high CVSS score of 9.3 and is not listed in the CISA KEV catalog; however, a publicly available exploit exists. Attackers can trigger the flaw remotely by sending a crafted request to the setScheduleCfg endpoint, enabling them to execute arbitrary system commands on the router’s operating system.

Generated by OpenCVE AI on May 24, 2026 at 16:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Totolink firmware update that addresses the setScheduleCfg command injection flaw
  • If a firmware update is not immediately available, block external access to the router’s Web Management Interface (usually via HTTP/HTTPS ports) using the device’s firewall or a network firewall
  • Configure the router to allow the Web Management Interface only from trusted internal networks or through a VPN, thereby limiting exposure to remote attackers

Generated by OpenCVE AI on May 24, 2026 at 16:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 24 May 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Totolink a8000ru
Vendors & Products Totolink a8000ru

Sun, 24 May 2026 15:00:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in Totolink A8000RU 7.1cu.643_b20200521. The impacted element is the function setScheduleCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Executing a manipulation of the argument mode can lead to os command injection. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks.
Title Totolink A8000RU Web Management cstecgi.cgi setScheduleCfg os command injection
First Time appeared Totolink
Totolink a8000ru Firmware
Weaknesses CWE-77
CWE-78
CPEs cpe:2.3:o:totolink:a8000ru_firmware:*:*:*:*:*:*:*:*
Vendors & Products Totolink
Totolink a8000ru Firmware
References
Metrics cvssV2_0

{'score': 10, 'vector': 'AV:N/AC:L/Au:N/C:C/I:C/A:C/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 9.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Totolink A8000ru A8000ru Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-24T14:30:11.986Z

Reserved: 2026-05-23T15:03:16.783Z

Link: CVE-2026-9388

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-24T17:30:04Z

Weaknesses