Description
A vulnerability was detected in Totolink A8000RU 7.1cu.643_b20200521. The affected element is the function setQosCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Performing a manipulation of the argument enable results in os command injection. Remote exploitation of the attack is possible. The exploit is now public and may be used.
Published: 2026-05-25
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the setQosCfg function of the /cgi-bin/cstecgi.cgi script permits attackers to inject arbitrary operating system commands by manipulating the enable argument. The vulnerability is identified as an OS command injection with a CVSS score of 9.3, indicating that an attacker can execute malicious code with the privileges of the web management interface. Remote exploitation is possible and the public exploit is available.

Affected Systems

Totolink A8000RU routers running firmware 7.1cu.643_b20200521 are affected. The vulnerability resides in the Web Management Interface component of this device.

Risk and Exploitability

The high CVSS score and lack of any listed KEV entry do not diminish the risk; the public availability of an exploit lowers the practical barrier to attack. An attacker who can reach the web interface—whether from the internal network or via an exposed management interface—can trigger the command injection. The exploit does not appear to require privileged access beyond the web interface, making it feasible in many deployment scenarios.

Generated by OpenCVE AI on May 25, 2026 at 09:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the router to the latest firmware version that addresses the setQosCfg injection flaw.
  • If a firmware update is not yet available, limit access to the Web Management Interface by restricting it to trusted IP addresses or via VPN only, and disable it when not needed.
  • As a temporary workaround, patch the /cgi-bin/cstecgi.cgi script to perform strict input validation on the enable parameter, ensuring only allowed characters are accepted and shell metacharacters are removed.

Generated by OpenCVE AI on May 25, 2026 at 09:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 25 May 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Totolink a8000ru
Vendors & Products Totolink a8000ru

Mon, 25 May 2026 08:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in Totolink A8000RU 7.1cu.643_b20200521. The affected element is the function setQosCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Performing a manipulation of the argument enable results in os command injection. Remote exploitation of the attack is possible. The exploit is now public and may be used.
Title Totolink A8000RU Web Management cstecgi.cgi setQosCfg os command injection
First Time appeared Totolink
Totolink a8000ru Firmware
Weaknesses CWE-77
CWE-78
CPEs cpe:2.3:o:totolink:a8000ru_firmware:*:*:*:*:*:*:*:*
Vendors & Products Totolink
Totolink a8000ru Firmware
References
Metrics cvssV2_0

{'score': 10, 'vector': 'AV:N/AC:L/Au:N/C:C/I:C/A:C/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 9.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Totolink A8000ru A8000ru Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-25T06:45:11.182Z

Reserved: 2026-05-24T07:07:30.176Z

Link: CVE-2026-9435

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-25T09:30:21Z

Weaknesses