Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
8DescriptionCVE.org
A vulnerability was found in Totolink A8000RU 7.1cu.643_b20200521. Affected is the function setIptvCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Performing a manipulation of the argument setIptvCfg results in os command injection. The attack can be initiated remotely. The exploit has been made public and could be used.
AnalysisAI
OS command injection in Totolink A8000RU router firmware 7.1cu.643_b20200521 allows remote unauthenticated attackers to execute arbitrary system commands via the setIptvCfg parameter in /cgi-bin/cstecgi.cgi. CVSS 8.9 (Critical) with network attack vector and no authentication required. Public exploit code available on GitHub since disclosure, significantly lowering exploitation barrier for attackers targeting internet-facing consumer routers. No vendor patch identified for this end-of-life device at time of analysis.
Technical ContextAI
This vulnerability affects the CGI-based web management interface of Totolink A8000RU wireless router, specifically the setIptvCfg function within the /cgi-bin/cstecgi.cgi handler used for IPTV configuration. The root cause is CWE-78 (OS Command Injection), where user-supplied input to the setIptvCfg argument is passed unsanitized to system shell commands. CGI scripts in embedded router firmware frequently suffer from inadequate input validation because they execute with elevated privileges and directly interact with system commands for device configuration. The affected product runs a Linux-based embedded operating system typical of consumer routers, where command injection in web interfaces often leads to full device compromise since web services run as root or with equivalent privileges.
RemediationAI
No vendor-released patch identified at time of analysis for Totolink A8000RU firmware 7.1cu.643_b20200521. Check Totolink vendor site (https://www.totolink.net/) for firmware updates newer than the May 2020 build, though device appears end-of-life. If no patch available, implement network-level compensating controls immediately: (1) Disable remote management access by configuring the router to block WAN-side access to administrative interfaces on TCP ports 80 and 443, accepting the trade-off of local-only administration; (2) Place the router behind a perimeter firewall and restrict management access to specific trusted IP addresses via ACLs, which may complicate remote support scenarios; (3) If IPTV functionality (the attack surface for setIptvCfg) is not required for your deployment, disable it entirely in the router configuration to eliminate this attack vector, noting this breaks IPTV services. For environments where these mitigations are insufficient, hardware replacement with actively supported router firmware (from vendors with established security update programs) is recommended given the device's apparent end-of-life status and critical severity of unauthenticated RCE.
OS command injection in Totolink A8000RU router firmware 7.1cu.643_b20200521 allows remote unauthenticated attackers to
OS command injection in the Totolink A8000RU router (firmware 7.1cu.643_b20200521) allows remote unauthenticated attacke
OS command injection in the Totolink A8000RU router (firmware 7.1cu.643_b20200521) allows remote unauthenticated attacke
OS command injection in the Totolink A8000RU router (firmware 7.1cu.643_b20200521) allows remote unauthenticated attacke
OS command injection in the Totolink A8000RU router (firmware 7.1cu.643_b20200521) allows unauthenticated remote attacke
Remote OS command injection in the Totolink A8000RU router (firmware 7.1cu.643_b20200521) allows unauthenticated attacke
OS command injection in Totolink A8000RU router firmware 7.1cu.643_b20200521 allows remote unauthenticated attackers to
Remote OS command injection in TOTOLINK A8000RU router firmware 7.1cu.643_b20200521 allows unauthenticated attackers to
OS command injection in TOTOLINK A8000RU router firmware 7.1cu.643_b20200521 allows remote unauthenticated attackers to
OS command injection in the Totolink A8000RU router (firmware 7.1cu.643_b20200521) allows remote unauthenticated attacke
OS command injection in Totolink A8000RU router firmware 7.1cu.643_b20200521 allows remote unauthenticated attackers to
OS command injection in the Totolink A8000RU router (firmware 7.1cu.643_b20200521) allows unauthenticated remote attacke
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25839