Description
A weakness has been identified in Totolink A8000RU 7.1cu.643_b20200521. Affected is the function setRemoteCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Executing a manipulation of the argument enable can lead to os command injection. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks.
Published: 2026-05-24
Score: 9.3 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A weakness exists in the setRemoteCfg function of the /cgi-bin/cstecgi.cgi component within the Web Management Interface of Totolink A8000RU firmware. Manipulation of the enable argument allows an attacker to inject operating‑system commands, resulting in arbitrary code execution with the privileges of the web service. Such an exploit can compromise confidentiality, integrity, and availability of the device and any network resources it controls.

Affected Systems

The vulnerability affects Totolink A8000RU devices running firmware version 7.1cu.643_b20200521. No other versions are reported as affected.

Risk and Exploitability

The CVSS score of 9.3 indicates a high severity exploit that can be performed remotely, likely through the publicly exposed web interface. The EPSS score is not available, so the current likelihood of exploitation is unknown, but the presence of a publicly available exploit suggests a potential for real‑world attacks. The vulnerability is not listed in CISA’s KEV catalog, indicating it has not yet been documented as a known exploited vulnerability by that authority.

Generated by OpenCVE AI on May 25, 2026 at 00:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the A8000RU firmware to the latest version that addresses the command injection flaw
  • Change default or weak administrative credentials and enforce strong password policies
  • Restrict web management access to trusted IP ranges or internal LAN only, and consider disabling remote management if not needed

Generated by OpenCVE AI on May 25, 2026 at 00:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 25 May 2026 00:45:00 +0000

Type Values Removed Values Added
First Time appeared Totolink a8000ru
Vendors & Products Totolink a8000ru

Sun, 24 May 2026 23:45:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in Totolink A8000RU 7.1cu.643_b20200521. Affected is the function setRemoteCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Executing a manipulation of the argument enable can lead to os command injection. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks.
Title Totolink A8000RU Web Management cstecgi.cgi setRemoteCfg os command injection
First Time appeared Totolink
Totolink a8000ru Firmware
Weaknesses CWE-77
CWE-78
CPEs cpe:2.3:o:totolink:a8000ru_firmware:*:*:*:*:*:*:*:*
Vendors & Products Totolink
Totolink a8000ru Firmware
References
Metrics cvssV2_0

{'score': 10, 'vector': 'AV:N/AC:L/Au:N/C:C/I:C/A:C/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 9.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Totolink A8000ru A8000ru Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-24T23:30:12.979Z

Reserved: 2026-05-24T06:27:25.387Z

Link: CVE-2026-9406

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-25T00:30:12Z

Weaknesses