Description
A vulnerability was detected in Totolink A8000RU 7.1cu.643_b20200521. Affected by this issue is the function setStaticDhcpRules of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. The manipulation of the argument enable results in os command injection. The attack may be performed from remote. The exploit is now public and may be used.
Published: 2026-05-25
Score: 9.3 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A recent vulnerability in Totolink A8000RU allows a remote attacker to inject arbitrary operating system commands through the enable parameter of the /cgi-bin/cstecgi.cgi endpoint. This flaw is an example of CWE‑77 and CWE‑78 weaknesses and results in the attacker gaining the privileges of the web management process, effectively allowing full remote code execution on the device.

Affected Systems

The affected device is the Totolink A8000RU wireless router running firmware build 7.1cu.643_b20200521. No other vendor versions are listed in the current CNA data, so the impact is limited to this specific model and firmware revision.

Risk and Exploitability

The vulnerability has a CVSS score of 9.3, indicating critical severity. The EPSS score is not available and it is not listed in the CISA KEV catalog, but the description confirms that a publicly available exploit exists and can be performed from a remote location. Therefore, the risk remains high and the attack surface is directly exposed through the web management interface.

Generated by OpenCVE AI on May 25, 2026 at 01:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware update from Totolink that addresses the command injection flaw in the setStaticDhcpRules function.
  • If a firmware update cannot be applied immediately, restrict access to the web management interface so that only trusted local hosts can reach it, for example by placing the router in a separate subnet or using a VLAN with strict access controls.
  • Disable or block the /cgi-bin/cstecgi.cgi endpoint if possible, ensuring that the setStaticDhcpRules functionality is not exposed to unauthenticated users.
  • Monitor router logs for attempts to trigger the vulnerable CGI script and alert on suspicious activity.

Generated by OpenCVE AI on May 25, 2026 at 01:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 25 May 2026 01:45:00 +0000

Type Values Removed Values Added
First Time appeared Totolink a8000ru
Vendors & Products Totolink a8000ru

Mon, 25 May 2026 00:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in Totolink A8000RU 7.1cu.643_b20200521. Affected by this issue is the function setStaticDhcpRules of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. The manipulation of the argument enable results in os command injection. The attack may be performed from remote. The exploit is now public and may be used.
Title Totolink A8000RU Web Management cstecgi.cgi setStaticDhcpRules os command injection
First Time appeared Totolink
Totolink a8000ru Firmware
Weaknesses CWE-77
CWE-78
CPEs cpe:2.3:o:totolink:a8000ru_firmware:*:*:*:*:*:*:*:*
Vendors & Products Totolink
Totolink a8000ru Firmware
References
Metrics cvssV2_0

{'score': 10, 'vector': 'AV:N/AC:L/Au:N/C:C/I:C/A:C/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 9.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Totolink A8000ru A8000ru Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-25T00:00:19.245Z

Reserved: 2026-05-24T06:27:30.904Z

Link: CVE-2026-9408

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-25T01:30:13Z

Weaknesses