Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
8DescriptionCVE.org
A vulnerability was identified in Totolink A8000RU 7.1cu.643_b20200521. Affected by this issue is the function setWiFiEasyCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument merge leads to os command injection. The attack may be initiated remotely. The exploit is publicly available and might be used.
AnalysisAI
OS command injection in Totolink A8000RU 7.1cu.643_b20200521 allows remote unauthenticated attackers to execute arbitrary system commands via the 'merge' parameter in the setWiFiEasyCfg function of /cgi-bin/cstecgi.cgi. Publicly available exploit code exists on GitHub (Litengzheng/vuldb_new2), enabling trivial exploitation against internet-facing devices. CVSS 8.9 reflects network attack vector with no authentication required (AV:N/PR:N), and EPSS data suggests moderate real-world exploitation probability given the POC availability and low attack complexity.
Technical ContextAI
This vulnerability affects the CGI handler implementation in Totolink A8000RU wireless router firmware version 7.1cu.643_b20200521. The setWiFiEasyCfg function within /cgi-bin/cstecgi.cgi fails to properly sanitize the 'merge' parameter before passing it to system command execution routines, creating a classic CWE-78 OS command injection flaw. CGI handlers in embedded router firmware commonly suffer from insufficient input validation when processing HTTP parameters, especially in legacy code that directly constructs shell commands using user-supplied input without escaping or parameterization. The affected CPE (cpe:2.3:a:totolink:a8000ru) indicates this is a vendor application-layer vulnerability in the router's web management interface rather than a firmware-level flaw.
RemediationAI
Check Totolink's official support portal (https://www.totolink.net/) for firmware updates newer than version 7.1cu.643_b20200521 that address CVE-2026-7125. No vendor-released patch version was identified in the provided data sources. As compensating controls with specific trade-offs: (1) Disable remote administration entirely via the router's web interface settings - this blocks the attack vector but prevents legitimate remote management; restore only when patched firmware is available. (2) If remote management is operationally required, restrict access to the /cgi-bin/cstecgi.cgi endpoint to trusted IP addresses using firewall rules (upstream router ACLs or WAN packet filter if the device supports it) - this limits exposure but requires maintaining an IP allowlist and does not protect against LAN-side attackers or compromised trusted hosts. (3) Place the router behind a reverse proxy with strict parameter filtering - adds architectural complexity and potential performance overhead. Do NOT rely on changing administrative credentials alone, as this vulnerability requires no authentication. Monitor logs for HTTP POST requests to /cgi-bin/cstecgi.cgi with suspicious 'merge' parameter values containing shell metacharacters (semicolons, backticks, pipes, ampersands).
OS command injection in Totolink A8000RU router firmware 7.1cu.643_b20200521 allows remote unauthenticated attackers to
OS command injection in the Totolink A8000RU router (firmware 7.1cu.643_b20200521) allows remote unauthenticated attacke
OS command injection in the Totolink A8000RU router (firmware 7.1cu.643_b20200521) allows remote unauthenticated attacke
OS command injection in the Totolink A8000RU router (firmware 7.1cu.643_b20200521) allows remote unauthenticated attacke
OS command injection in the Totolink A8000RU router (firmware 7.1cu.643_b20200521) allows unauthenticated remote attacke
Remote OS command injection in the Totolink A8000RU router (firmware 7.1cu.643_b20200521) allows unauthenticated attacke
OS command injection in Totolink A8000RU router firmware 7.1cu.643_b20200521 allows remote unauthenticated attackers to
Remote OS command injection in TOTOLINK A8000RU router firmware 7.1cu.643_b20200521 allows unauthenticated attackers to
OS command injection in TOTOLINK A8000RU router firmware 7.1cu.643_b20200521 allows remote unauthenticated attackers to
OS command injection in the Totolink A8000RU router (firmware 7.1cu.643_b20200521) allows remote unauthenticated attacke
OS command injection in Totolink A8000RU router firmware 7.1cu.643_b20200521 allows remote unauthenticated attackers to
OS command injection in the Totolink A8000RU router (firmware 7.1cu.643_b20200521) allows unauthenticated remote attacke
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25843