Description
A vulnerability was identified in Totolink A8000RU 7.1cu.643_b20200521. The impacted element is the function setWanCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Such manipulation of the argument enabled leads to os command injection. The attack may be performed from remote. The exploit is publicly available and might be used.
Published: 2026-05-25
Score: 9.3 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the setWanCfg function of /cgi-bin/cstecgi.cgi on Totolink A8000RU firmware 7.1cu.643_b20200521, allowing a crafted argument to inject arbitrary operating system commands. This enables an attacker to execute commands with the privileges of the web interface, effectively providing full control over the device.

Affected Systems

Totolink A8000RU routers running firmware version 7.1cu.643_b20200521 are affected. The issue targets the Web Management Interface component /cgi-bin/cstecgi.cgi, which is exposed to the network and can be invoked remotely.

Risk and Exploitability

The CVSS score of 9.3 indicates a critical severity. Although no EPSS score is reported, the vulnerability is publicly available and can be exploited from outside the network. Attackers can remotely invoke the vulnerable endpoint to run arbitrary commands without authentication. This makes the risk high for any unpatched devices; the vulnerability is not currently listed in CISA KEV.

Generated by OpenCVE AI on May 25, 2026 at 14:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest firmware update released by Totolink that addresses the setWanCfg command injection issue.
  • If an update is not yet available, temporarily disable the Web Management Interface or restrict access to trusted local IP addresses.
  • Enable detailed system logging and monitor for anomalous command execution attempts related to cgi-bin/cstecgi.cgi.

Generated by OpenCVE AI on May 25, 2026 at 14:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 25 May 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Totolink a8000ru
Vendors & Products Totolink a8000ru

Mon, 25 May 2026 13:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in Totolink A8000RU 7.1cu.643_b20200521. The impacted element is the function setWanCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Such manipulation of the argument enabled leads to os command injection. The attack may be performed from remote. The exploit is publicly available and might be used.
Title Totolink A8000RU Web Management cstecgi.cgi setWanCfg os command injection
First Time appeared Totolink
Totolink a8000ru Firmware
Weaknesses CWE-77
CWE-78
CPEs cpe:2.3:o:totolink:a8000ru_firmware:*:*:*:*:*:*:*:*
Vendors & Products Totolink
Totolink a8000ru Firmware
References
Metrics cvssV2_0

{'score': 10, 'vector': 'AV:N/AC:L/Au:N/C:C/I:C/A:C/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 9.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Totolink A8000ru A8000ru Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-25T12:30:13.344Z

Reserved: 2026-05-24T07:57:28.742Z

Link: CVE-2026-9458

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-25T16:15:29Z

Weaknesses