Description
A vulnerability was found in Totolink A8000RU 7.1cu.643_b20200521. Impacted is the function setOpenVpnCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. The manipulation of the argument enabled results in os command injection. The attack can be executed remotely. The exploit has been made public and could be used.
Published: 2026-05-25
Score: 9.3 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The C8000RU router’s web management interface allows configuration of OpenVPN settings through the setOpenVpnCfg endpoint in cstecgi.cgi. By manipulating request parameters, an attacker can inject arbitrary operating system commands, enabling remote command execution. This vulnerability can lead to full compromise of the device, including data exfiltration, denial of service, or deployment of malware. The weakness is a classic command injection flaw (CWE-77 and CWE-78).

Affected Systems

Affected devices are Totolink A8000RU routers running firmware version 7.1cu.643_b20200521. The issue resides in the Web Management Interface component, specifically the setOpenVpnCfg function in the cstecgi.cgi CGI script.

Risk and Exploitability

The vulnerability carries a CVSS score of 9.3, indicating critical severity. Although there is no EPSS score reported, the publicly disclosed exploit and its remote nature suggest a high likelihood of real-world exploitation. The attack vector is remote over the network, likely via HTTP/HTTPS requests to the router’s management interface. The vulnerability is not listed in the CISA KEV catalog, but the high CVSS score warrants immediate attention.

Generated by OpenCVE AI on May 25, 2026 at 13:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware update that resolves the command injection flaw in the cstecgi.cgi script.
  • If a firmware upgrade is not immediately available, disable or restrict remote access to the router’s management interface, or block the /cgi-bin/cstecgi.cgi path using firewall rules.
  • Implement network monitoring to detect unusual VPN configuration changes or command injection attempts, and enforce strong, unique credentials for all administrative accounts.

Generated by OpenCVE AI on May 25, 2026 at 13:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 25 May 2026 13:45:00 +0000

Type Values Removed Values Added
First Time appeared Totolink a8000ru
Vendors & Products Totolink a8000ru

Mon, 25 May 2026 12:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in Totolink A8000RU 7.1cu.643_b20200521. Impacted is the function setOpenVpnCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. The manipulation of the argument enabled results in os command injection. The attack can be executed remotely. The exploit has been made public and could be used.
Title Totolink A8000RU Web Management cstecgi.cgi setOpenVpnCfg os command injection
First Time appeared Totolink
Totolink a8000ru Firmware
Weaknesses CWE-77
CWE-78
CPEs cpe:2.3:o:totolink:a8000ru_firmware:*:*:*:*:*:*:*:*
Vendors & Products Totolink
Totolink a8000ru Firmware
References
Metrics cvssV2_0

{'score': 10, 'vector': 'AV:N/AC:L/Au:N/C:C/I:C/A:C/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 9.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Totolink A8000ru A8000ru Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-25T12:00:14.335Z

Reserved: 2026-05-24T07:57:23.070Z

Link: CVE-2026-9456

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-25T13:30:26Z

Weaknesses