Totolink A8000RU CVE-2026-7202
HIGHSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
A vulnerability has been found in Totolink A8000RU 7.1cu.643_b20200521. This affects the function setWiFiWpsStart of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument wscDisabled leads to os command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
AnalysisAI
OS command injection in Totolink A8000RU router firmware version 7.1cu.643_b20200521 allows remote unauthenticated attackers to execute arbitrary system commands with root privileges via the wscDisabled parameter in the setWiFiWpsStart function of /cgi-bin/cstecgi.cgi. Public exploit code exists (VulDB #359802), enabling trivial weaponization. EPSS score unavailable; CVSS 8.9 reflects network-based unauthenticated attack with complete device compromise. No CISA KEV listing at time of analysis, suggesting targeted rather than mass exploitation.
Technical ContextAI
This is a classic web-based OS command injection vulnerability (CWE-77) in the CGI handler of a consumer router. The setWiFiWpsStart function in /cgi-bin/cstecgi.cgi fails to sanitize the wscDisabled parameter before passing it to a shell command. Totolink A8000RU is a WiFi 6 mesh router running embedded Linux firmware. CGI scripts in such devices typically run with root privileges, making command injection particularly severe. The affected component handles WiFi Protected Setup (WPS) configuration, a legitimate administrative function exposed via the web management interface. CVSS 4.0 vector indicates network attack (AV:N), low complexity (AC:L), no prerequisites (PR:N, UI:N), and complete confidentiality/integrity/availability impact on the vulnerable system (VC:H/VI:H/VA:H) with no cross-scope effects (SC:N/SI:N/SA:N).
Affected ProductsAI
Totolink A8000RU WiFi 6 mesh router running firmware version 7.1cu.643_b20200521 (released May 21, 2020). No CPE identifier provided in source data. Vendor product page available at https://www.totolink.net/ but no security advisory identified. Newer firmware versions not analyzed; users should verify current version against vendor support channels. Similar Totolink models may share vulnerable codebase but are not confirmed affected by available intelligence.
RemediationAI
Check Totolink vendor site (https://www.totolink.net/) for firmware updates newer than 7.1cu.643_b20200521; no confirmed patched version identified in available data sources. If no patch exists or device is end-of-life, implement compensating controls: (1) Disable remote management access entirely - access web interface only from trusted LAN segments, not WAN; verify firewall rules block external access to TCP ports 80/443/8080. (2) If remote management required, place device behind VPN gateway and restrict source IPs to authorized administrators; note this adds latency and management complexity. (3) Disable WPS functionality via admin interface if not actively used, reducing attack surface to this specific function. (4) Monitor device logs for unexpected CGI requests to /cgi-bin/cstecgi.cgi with anomalous parameters. Consider device replacement with actively supported hardware if vendor provides no security updates for 2020-era firmware.
Same weakness CWE-77 – Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today