Description
A vulnerability was identified in Totolink A8000RU 7.1cu.643_b20200521. This vulnerability affects the function setPasswordCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Such manipulation of the argument admpass leads to os command injection. The attack can be executed remotely. The exploit is publicly available and might be used.
Published: 2026-05-25
Score: 9.3 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An OS command injection flaw exists in the setPasswordCfg handler of /cgi-bin/cstecgi.cgi on Totolink A8000RU routers. By injecting crafted input into the admpass argument, an attacker can cause arbitrary shell commands to be executed on the device. The vulnerability is located within the Web Management Interface and would allow an attacker to compromise the router’s operating system, potentially granting full control over the device and any networks it bridges.

Affected Systems

The flaw is confirmed in Totolink A8000RU firmware version 7.1cu.643_b20200521. It affects the web management component of this router model and does not list any other affected firmware releases in the input data. Users of this device model should verify their firmware against the specified version.

Risk and Exploitability

The CVSS score of 9.3 categorizes this as critical. The exploit is publicly available and can be performed remotely without additional authentication steps inferred from the description. Although EPSS data is not provided, the lack of KEV listing does not diminish the high risk posed by the ability to inject and execute arbitrary commands on the router’s operating system. The vulnerability allows attackers to possibly elevate privileges, modify routing tables, and exfiltrate data.

Generated by OpenCVE AI on May 25, 2026 at 18:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the router firmware to the latest version that removes the command injection vulnerability.
  • If a patched firmware is not yet available, block external access to /cgi-bin/cstecgi.cgi using a firewall or network ACL to prevent remote attackers from exploiting the vulnerability.
  • Disable the web management interface altogether or restrict its access to trusted IP addresses only to eliminate the attack surface until remediation is performed.

Generated by OpenCVE AI on May 25, 2026 at 18:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 25 May 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Totolink a8000ru
Vendors & Products Totolink a8000ru

Mon, 25 May 2026 17:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in Totolink A8000RU 7.1cu.643_b20200521. This vulnerability affects the function setPasswordCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Such manipulation of the argument admpass leads to os command injection. The attack can be executed remotely. The exploit is publicly available and might be used.
Title Totolink A8000RU Web Management cstecgi.cgi setPasswordCfg os command injection
First Time appeared Totolink
Totolink a8000ru Firmware
Weaknesses CWE-77
CWE-78
CPEs cpe:2.3:o:totolink:a8000ru_firmware:*:*:*:*:*:*:*:*
Vendors & Products Totolink
Totolink a8000ru Firmware
References
Metrics cvssV2_0

{'score': 10, 'vector': 'AV:N/AC:L/Au:N/C:C/I:C/A:C/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 9.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Totolink A8000ru A8000ru Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-25T17:00:16.579Z

Reserved: 2026-05-24T09:15:32.636Z

Link: CVE-2026-9476

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-25T18:30:06Z

Weaknesses