Skip to main content

Totolink A8000RU CVE-2026-7122

| EUVDEUVD-2026-25837 HIGH
Command Injection (CWE-77)
2026-04-27 cna@vuldb.com
8.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.9 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Re-analysis Queued
Apr 27, 2026 - 18:37 vuln.today
cvss_changed
Analysis Generated
Apr 27, 2026 - 12:30 vuln.today
EUVD ID Assigned
Apr 27, 2026 - 12:22 euvd
EUVD-2026-25837
Analysis Generated
Apr 27, 2026 - 12:22 vuln.today
CVE Published
Apr 27, 2026 - 12:16 nvd
HIGH 8.9

DescriptionCVE.org

A vulnerability has been found in Totolink A8000RU 7.1cu.643_b20200521. This impacts the function setUPnPCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Such manipulation of the argument enable leads to os command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

AnalysisAI

OS command injection in Totolink A8000RU firmware 7.1cu.643_b20200521 allows remote unauthenticated attackers to execute arbitrary system commands via the 'enable' parameter in the setUPnPCfg function of /cgi-bin/cstecgi.cgi. Publicly available exploit code exists (POC confirmed), increasing immediate risk for exposed devices. EPSS data not available, but CVSS 8.9 with network vector (AV:N), no authentication (PR:N), and low complexity (AC:L) indicates trivial remote exploitation against default configurations.

Technical ContextAI

This vulnerability affects the CGI (Common Gateway Interface) handler in Totolink A8000RU consumer router firmware, specifically the setUPnPCfg function which manages Universal Plug and Play configuration. CWE-77 (Command Injection) indicates improper neutralization of special elements used in OS commands. The 'enable' parameter is passed to the operating system without sanitization, allowing attackers to inject shell metacharacters (semicolons, pipes, backticks) to execute arbitrary commands with the privileges of the web server process, typically root on embedded devices. The affected component is /cgi-bin/cstecgi.cgi, a compiled binary handling router configuration requests. UPnP configuration interfaces are commonly network-exposed on router management ports (typically TCP 80/8080) and frequently accessible from LAN segments.

RemediationAI

Primary remediation: Check Totolink vendor website (https://www.totolink.net/) and support pages for firmware updates newer than 7.1cu.643_b20200521 for the A8000RU model; apply latest available firmware following vendor upgrade procedures. Compensating controls if no patch exists: (1) Disable remote management and restrict web interface access to trusted LAN segments only - blocks AV:N but does not prevent LAN-based attacks from compromised endpoints; (2) Disable UPnP functionality entirely if not required for applications - eliminates the vulnerable code path but breaks UPnP-dependent services like gaming consoles and media streaming; (3) Implement firewall rules blocking external access to TCP ports 80, 8080, and any custom management ports - reduces attack surface but ineffective against LAN threats; (4) Replace device with actively supported router model if Totolink has EOL'd the A8000RU. TRADE-OFFS: Disabling UPnP impacts user experience for consumer applications; LAN restriction requires network segmentation infrastructure not typical in home/SOHO environments. Vulnerability disclosure at https://github.com/Litengzheng/vuldb_new2/blob/main/A8000RU/vul_307/README.md and VulDB entry https://vuldb.com/vuln/359721 provide additional technical details.

Share

CVE-2026-7122 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy