Description
A security vulnerability has been detected in Totolink A8000RU 7.1cu.643_b20200521. Impacted is the function setWiFiWpsCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Such manipulation of the argument wscDisabled leads to os command injection. The attack may be launched remotely. The exploit has been disclosed publicly and may be used.
Published: 2026-05-25
Score: 9.3 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A vulnerable parameter in the Web Management Interface of the Totolink A8000RU firmware allows an attacker to inject operating system commands, potentially executing arbitrary code with the privileges of the web daemon. If exploited, the attacker could gain full control of the device, manipulate network traffic, or launch further attacks on connected systems. The weakness stems from insufficient input validation (CWE-77, CWE-78).

Affected Systems

The affected model is the Totolink A8000RU running firmware version 7.1cu.643_b20200521. This single model is the only one referenced in the CNA information and the CPE data, indicating that earlier firmware releases are likely unaffected until a patch is released.

Risk and Exploitability

The CVSS score of 9.3 classifies the vulnerability as Critical. It is not listed in the CISA KEV catalog, but the public disclosure and remote nature of the attack vector increase the risk of real‑world exploitation. Attackers can exploit the flaw by sending crafted HTTP requests to /cgi-bin/cstecgi.cgi, manipulating the wscDisabled argument from an external network without authentication. The impact is full system compromise available remotely.

Generated by OpenCVE AI on May 25, 2026 at 07:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the device firmware to the latest supported version or apply the vendor‑issued patch that eliminates the command injection in setWiFiWpsCfg
  • Restrict external access to the web management interface by placing the device behind a firewall or disabling the interface when not needed
  • Disable WPS functionality, if possible, to remove the vulnerable parameter from use and monitor web logs for anomalous requests

Generated by OpenCVE AI on May 25, 2026 at 07:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 25 May 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Totolink a8000ru
Vendors & Products Totolink a8000ru

Mon, 25 May 2026 06:45:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in Totolink A8000RU 7.1cu.643_b20200521. Impacted is the function setWiFiWpsCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Such manipulation of the argument wscDisabled leads to os command injection. The attack may be launched remotely. The exploit has been disclosed publicly and may be used.
Title Totolink A8000RU Web Management cstecgi.cgi setWiFiWpsCfg os command injection
First Time appeared Totolink
Totolink a8000ru Firmware
Weaknesses CWE-77
CWE-78
CPEs cpe:2.3:o:totolink:a8000ru_firmware:*:*:*:*:*:*:*:*
Vendors & Products Totolink
Totolink a8000ru Firmware
References
Metrics cvssV2_0

{'score': 10, 'vector': 'AV:N/AC:L/Au:N/C:C/I:C/A:C/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 9.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Totolink A8000ru A8000ru Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-25T06:30:13.840Z

Reserved: 2026-05-24T07:07:27.282Z

Link: CVE-2026-9434

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-25T08:45:05Z

Weaknesses