Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
A vulnerability has been found in Totolink A8000RU 7.1cu.643_b20200521. This impacts the function setUPnPCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Such manipulation of the argument enable leads to os command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
AnalysisAI
OS command injection in Totolink A8000RU firmware 7.1cu.643_b20200521 allows remote unauthenticated attackers to execute arbitrary system commands via the 'enable' parameter in the setUPnPCfg function of /cgi-bin/cstecgi.cgi. Publicly available exploit code exists (POC confirmed), increasing immediate risk for exposed devices. EPSS data not available, but CVSS 8.9 with network vector (AV:N), no authentication (PR:N), and low complexity (AC:L) indicates trivial remote exploitation against default configurations.
Technical ContextAI
This vulnerability affects the CGI (Common Gateway Interface) handler in Totolink A8000RU consumer router firmware, specifically the setUPnPCfg function which manages Universal Plug and Play configuration. CWE-77 (Command Injection) indicates improper neutralization of special elements used in OS commands. The 'enable' parameter is passed to the operating system without sanitization, allowing attackers to inject shell metacharacters (semicolons, pipes, backticks) to execute arbitrary commands with the privileges of the web server process, typically root on embedded devices. The affected component is /cgi-bin/cstecgi.cgi, a compiled binary handling router configuration requests. UPnP configuration interfaces are commonly network-exposed on router management ports (typically TCP 80/8080) and frequently accessible from LAN segments.
RemediationAI
Primary remediation: Check Totolink vendor website (https://www.totolink.net/) and support pages for firmware updates newer than 7.1cu.643_b20200521 for the A8000RU model; apply latest available firmware following vendor upgrade procedures. Compensating controls if no patch exists: (1) Disable remote management and restrict web interface access to trusted LAN segments only - blocks AV:N but does not prevent LAN-based attacks from compromised endpoints; (2) Disable UPnP functionality entirely if not required for applications - eliminates the vulnerable code path but breaks UPnP-dependent services like gaming consoles and media streaming; (3) Implement firewall rules blocking external access to TCP ports 80, 8080, and any custom management ports - reduces attack surface but ineffective against LAN threats; (4) Replace device with actively supported router model if Totolink has EOL'd the A8000RU. TRADE-OFFS: Disabling UPnP impacts user experience for consumer applications; LAN restriction requires network segmentation infrastructure not typical in home/SOHO environments. Vulnerability disclosure at https://github.com/Litengzheng/vuldb_new2/blob/main/A8000RU/vul_307/README.md and VulDB entry https://vuldb.com/vuln/359721 provide additional technical details.
Same weakness CWE-77 – Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25837