Skip to main content

Totolink A8000RU CVE-2026-7125

| EUVDEUVD-2026-25843 HIGH
OS Command Injection (CWE-78)
2026-04-27 VulDB
8.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.9 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

8
Re-analysis Queued
Apr 27, 2026 - 18:37 vuln.today
cvss_changed
PoC Detected
Apr 27, 2026 - 18:36 vuln.today
Public exploit code
Analysis Generated
Apr 27, 2026 - 13:30 vuln.today
Severity Changed
Apr 27, 2026 - 13:22 NVD
CRITICAL HIGH
CVSS changed
Apr 27, 2026 - 13:22 NVD
9.8 (CRITICAL) 8.9 (HIGH)
EUVD ID Assigned
Apr 27, 2026 - 13:00 euvd
EUVD-2026-25843
Analysis Generated
Apr 27, 2026 - 13:00 vuln.today
CVE Published
Apr 27, 2026 - 12:45 nvd
HIGH 8.9

DescriptionCVE.org

A vulnerability was identified in Totolink A8000RU 7.1cu.643_b20200521. Affected by this issue is the function setWiFiEasyCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument merge leads to os command injection. The attack may be initiated remotely. The exploit is publicly available and might be used.

AnalysisAI

OS command injection in Totolink A8000RU 7.1cu.643_b20200521 allows remote unauthenticated attackers to execute arbitrary system commands via the 'merge' parameter in the setWiFiEasyCfg function of /cgi-bin/cstecgi.cgi. Publicly available exploit code exists on GitHub (Litengzheng/vuldb_new2), enabling trivial exploitation against internet-facing devices. CVSS 8.9 reflects network attack vector with no authentication required (AV:N/PR:N), and EPSS data suggests moderate real-world exploitation probability given the POC availability and low attack complexity.

Technical ContextAI

This vulnerability affects the CGI handler implementation in Totolink A8000RU wireless router firmware version 7.1cu.643_b20200521. The setWiFiEasyCfg function within /cgi-bin/cstecgi.cgi fails to properly sanitize the 'merge' parameter before passing it to system command execution routines, creating a classic CWE-78 OS command injection flaw. CGI handlers in embedded router firmware commonly suffer from insufficient input validation when processing HTTP parameters, especially in legacy code that directly constructs shell commands using user-supplied input without escaping or parameterization. The affected CPE (cpe:2.3:a:totolink:a8000ru) indicates this is a vendor application-layer vulnerability in the router's web management interface rather than a firmware-level flaw.

RemediationAI

Check Totolink's official support portal (https://www.totolink.net/) for firmware updates newer than version 7.1cu.643_b20200521 that address CVE-2026-7125. No vendor-released patch version was identified in the provided data sources. As compensating controls with specific trade-offs: (1) Disable remote administration entirely via the router's web interface settings - this blocks the attack vector but prevents legitimate remote management; restore only when patched firmware is available. (2) If remote management is operationally required, restrict access to the /cgi-bin/cstecgi.cgi endpoint to trusted IP addresses using firewall rules (upstream router ACLs or WAN packet filter if the device supports it) - this limits exposure but requires maintaining an IP allowlist and does not protect against LAN-side attackers or compromised trusted hosts. (3) Place the router behind a reverse proxy with strict parameter filtering - adds architectural complexity and potential performance overhead. Do NOT rely on changing administrative credentials alone, as this vulnerability requires no authentication. Monitor logs for HTTP POST requests to /cgi-bin/cstecgi.cgi with suspicious 'merge' parameter values containing shell metacharacters (semicolons, backticks, pipes, ampersands).

CVE-2026-9436 HIGH POC
8.9 May 25

OS command injection in Totolink A8000RU router firmware 7.1cu.643_b20200521 allows remote unauthenticated attackers to

CVE-2026-9478 HIGH POC
8.9 May 25

OS command injection in the Totolink A8000RU router (firmware 7.1cu.643_b20200521) allows remote unauthenticated attacke

CVE-2026-9477 HIGH POC
8.9 May 25

OS command injection in the Totolink A8000RU router (firmware 7.1cu.643_b20200521) allows remote unauthenticated attacke

CVE-2026-9476 HIGH POC
8.9 May 25

OS command injection in the Totolink A8000RU router (firmware 7.1cu.643_b20200521) allows remote unauthenticated attacke

CVE-2026-9475 HIGH POC
8.9 May 25

OS command injection in the Totolink A8000RU router (firmware 7.1cu.643_b20200521) allows unauthenticated remote attacke

CVE-2026-9458 HIGH POC
8.9 May 25

Remote OS command injection in the Totolink A8000RU router (firmware 7.1cu.643_b20200521) allows unauthenticated attacke

CVE-2026-9457 HIGH POC
8.9 May 25

OS command injection in Totolink A8000RU router firmware 7.1cu.643_b20200521 allows remote unauthenticated attackers to

CVE-2026-9456 HIGH POC
8.9 May 25

Remote OS command injection in TOTOLINK A8000RU router firmware 7.1cu.643_b20200521 allows unauthenticated attackers to

CVE-2026-9455 HIGH POC
8.9 May 25

OS command injection in TOTOLINK A8000RU router firmware 7.1cu.643_b20200521 allows remote unauthenticated attackers to

CVE-2026-9454 HIGH POC
8.9 May 25

OS command injection in the Totolink A8000RU router (firmware 7.1cu.643_b20200521) allows remote unauthenticated attacke

CVE-2026-9435 HIGH POC
8.9 May 25

OS command injection in Totolink A8000RU router firmware 7.1cu.643_b20200521 allows remote unauthenticated attackers to

CVE-2026-9434 HIGH POC
8.9 May 25

OS command injection in the Totolink A8000RU router (firmware 7.1cu.643_b20200521) allows unauthenticated remote attacke

Share

CVE-2026-7125 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy