Skip to main content

Totolink A8000RU CVE-2026-7203

| EUVDEUVD-2026-25960 HIGH
Command Injection (CWE-77)
2026-04-28 cna@vuldb.com
8.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.9 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Re-analysis Queued
Apr 28, 2026 - 20:38 vuln.today
cvss_changed
Analysis Generated
Apr 28, 2026 - 01:31 vuln.today
EUVD ID Assigned
Apr 28, 2026 - 01:22 euvd
EUVD-2026-25960
Analysis Generated
Apr 28, 2026 - 01:22 vuln.today
CVE Published
Apr 28, 2026 - 01:16 nvd
HIGH 8.9

DescriptionCVE.org

A vulnerability was found in Totolink A8000RU 7.1cu.643_b20200521. This vulnerability affects the function setUrlFilterRules of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument enable results in os command injection. The attack can be launched remotely. The exploit has been made public and could be used.

AnalysisAI

Remote command injection in Totolink A8000RU router firmware 7.1cu.643_b20200521 allows unauthenticated attackers to execute arbitrary OS commands with router privileges via the setUrlFilterRules CGI function. Public exploit code exists (CVSS:4.0 E:P indicator), significantly increasing exploitation risk. EPSS data unavailable, but network-accessible command injection with public POC represents critical risk for internet-exposed devices.

Technical ContextAI

The vulnerability resides in the CGI handler (/cgi-bin/cstecgi.cgi) of the Totolink A8000RU wireless router, specifically within the setUrlFilterRules function used for URL filtering administration. This is a CWE-77 (Command Injection) flaw where user-supplied input to the 'enable' parameter is passed unsanitized to system shell commands. CGI-based router administration interfaces frequently suffer from insufficient input validation when processing configuration changes, allowing attackers to break out of intended command contexts by injecting shell metacharacters (semicolons, pipes, backticks). The affected firmware version 7.1cu.643_b20200521 from May 2020 suggests this is legacy code with no modern input sanitization mechanisms.

RemediationAI

Check Totolink vendor website (https://www.totolink.net/) for firmware updates newer than 7.1cu.643_b20200521 addressing CVE-2026-7203. No specific patched version identified in available advisories at time of analysis. If no patch exists, implement network-level compensating controls: (1) Remove A8000RU devices from WAN exposure - disable remote administration and place behind NAT with no port forwarding to TCP 80/443, which eliminates remote attack vector but prevents legitimate remote management; (2) Restrict web interface access to trusted management VLANs only via router ACLs, reducing attack surface to internal threats; (3) Monitor router logs for unexpected cstecgi.cgi requests containing shell metacharacters (semicolons, pipes, ampersands) as IOC of exploitation attempts; (4) If remote management required, place device behind VPN gateway requiring authentication before router access. Consider hardware replacement with actively maintained alternative if vendor does not release timely patch, as legacy SOHO routers frequently receive no security updates.

Share

CVE-2026-7203 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy