Description
A vulnerability was determined in Totolink A8000RU 7.1cu.643_b20200521. The affected element is the function UploadFirmwareFile of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. This manipulation of the argument FileName causes os command injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized.
Published: 2026-05-25
Score: 9.3 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A vulnerability in the UploadFirmwareFile function of /cgi-bin/cstecgi.cgi on Totolink A8000RU routers permits an attacker to inject arbitrary shell commands through the FileName parameter, resulting in full control over the device and compromising confidentiality, integrity and availability.

Affected Systems

The flaw affects Totolink A8000RU routers running firmware version 7.1cu.643_b20200521 and earlier, accessed through the web management interface.

Risk and Exploitability

The CVSS score of 9.3 indicates critical severity. The EPSS score is not available, but publicly disclosed exploits demonstrate the practicality of this flaw. It is not listed in the CISA KEV catalog. Attackers can reach the vulnerable endpoint remotely, and if the management interface is exposed or authenticated, they can upload a crafted firmware filename that triggers command execution.

Generated by OpenCVE AI on May 25, 2026 at 14:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy the latest Totolink firmware that fixes the UploadFirmwareFile command injection.
  • If a firmware update is unavailable, block or restrict access to /cgi-bin/cstecgi.cgi, disable the firmware upload capability, or limit remote management to trusted IPs.
  • Apply strict input validation to the FileName field to allow only safe characters and prevent direct shell invocation.

Generated by OpenCVE AI on May 25, 2026 at 14:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 25 May 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Totolink a8000ru
Vendors & Products Totolink a8000ru

Mon, 25 May 2026 13:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in Totolink A8000RU 7.1cu.643_b20200521. The affected element is the function UploadFirmwareFile of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. This manipulation of the argument FileName causes os command injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized.
Title Totolink A8000RU Web Management cstecgi.cgi UploadFirmwareFile os command injection
First Time appeared Totolink
Totolink a8000ru Firmware
Weaknesses CWE-77
CWE-78
CPEs cpe:2.3:o:totolink:a8000ru_firmware:*:*:*:*:*:*:*:*
Vendors & Products Totolink
Totolink a8000ru Firmware
References
Metrics cvssV2_0

{'score': 10, 'vector': 'AV:N/AC:L/Au:N/C:C/I:C/A:C/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 9.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Totolink A8000ru A8000ru Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-25T12:15:15.219Z

Reserved: 2026-05-24T07:57:25.850Z

Link: CVE-2026-9457

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-25T14:45:16Z

Weaknesses