Description
A security flaw has been discovered in Totolink A8000RU 7.1cu.643_b20200521. This vulnerability affects the function setWiFiAdvancedCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. The manipulation of the argument bgProtection results in os command injection. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks.
Published: 2026-05-25
Score: 9.3 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows a remote attacker to inject arbitrary operating system commands through the bgProtection argument in the cstecgi.cgi script of the router’s web interface. Successful exploitation results in the router executing attacker‑supplied commands with system privileges, giving the attacker complete control over the device. This flaw is classified as CWE‑77 (Command Injection) and CWE‑78 (OS Command Injection). The impact includes full system compromise, data theft, network disruption, and potential use as a foothold for further attacks.

Affected Systems

Firmware version 7.1cu.643_b20200521 of the Totolink A8000RU router is affected. No other device models or firmware releases were listed as vulnerable.

Risk and Exploitability

The CVSS base score of 9.3 indicates critical severity and high attack complexity, and the vulnerability can be triggered remotely via the exposed web interface. EPSS data is not available, but the public release of an exploit suggests that the risk of exploitation is significant. The vulnerability is not listed in CISA’s KEV catalog, but the existing public exploit and high CVSS score indicate that many attackers could leverage this flaw if the router is exposed to the internet.

Generated by OpenCVE AI on May 25, 2026 at 07:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official firmware update that removes or sanitizes the bgProtection parameter in setWiFiAdvancedCfg.
  • If a firmware update is not immediately available, block external access to the router’s web management interface or restrict it to a trusted LAN only.
  • Configure firewall rules to filter or limit traffic to the ports used by the web interface (e.g., 80/443).

Generated by OpenCVE AI on May 25, 2026 at 07:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 25 May 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Totolink a8000ru
Vendors & Products Totolink a8000ru

Mon, 25 May 2026 06:45:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in Totolink A8000RU 7.1cu.643_b20200521. This vulnerability affects the function setWiFiAdvancedCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. The manipulation of the argument bgProtection results in os command injection. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks.
Title Totolink A8000RU Web Management cstecgi.cgi setWiFiAdvancedCfg os command injection
First Time appeared Totolink
Totolink a8000ru Firmware
Weaknesses CWE-77
CWE-78
CPEs cpe:2.3:o:totolink:a8000ru_firmware:*:*:*:*:*:*:*:*
Vendors & Products Totolink
Totolink a8000ru Firmware
References
Metrics cvssV2_0

{'score': 10, 'vector': 'AV:N/AC:L/Au:N/C:C/I:C/A:C/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 9.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Totolink A8000ru A8000ru Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-25T06:00:15.497Z

Reserved: 2026-05-24T07:07:22.122Z

Link: CVE-2026-9432

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-25T09:00:11Z

Weaknesses