Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
A vulnerability was determined in Totolink A8000RU 7.1cu.643_b20200521. This issue affects the function setPptpServerCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. This manipulation of the argument enable causes os command injection. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized.
AnalysisAI
Remote command injection in Totolink A8000RU router firmware 7.1cu.643_b20200521 allows unauthenticated attackers to execute arbitrary OS commands via the 'enable' parameter in setPptpServerCfg function of /cgi-bin/cstecgi.cgi. Public exploit code exists (GitHub POC available), enabling trivial remote compromise without authentication or user interaction. CVSS v4.0 score of 8.9 reflects maximum impact on confidentiality, integrity, and availability. No EPSS data or CISA KEV status available, but publicly documented POC substantially lowers exploitation barrier for this home/small office router platform.
Technical ContextAI
This vulnerability exploits CWE-77 (Command Injection) in the CGI handler component of Totolink A8000RU wireless router firmware. The setPptpServerCfg function, which manages PPTP VPN server configuration at /cgi-bin/cstecgi.cgi, fails to properly sanitize the 'enable' parameter before passing it to system shell commands. CGI (Common Gateway Interface) scripts in embedded devices frequently suffer from insufficient input validation when translating HTTP parameters into system-level operations. The affected firmware version (7.1cu.643_b20200521, released May 2021) processes PPTP server configuration requests without validating whether user-supplied data contains shell metacharacters, allowing attackers to break out of intended command context and execute arbitrary operating system commands with the privileges of the web server process (typically root on embedded routers).
RemediationAI
Check Totolink vendor website (https://www.totolink.net/) and support portal for firmware updates released after May 2020 addressing CVE-2026-7204 or command injection in CGI handlers - no specific patched version confirmed in available data. If firmware updates are unavailable or device is end-of-life: (1) disable remote management access to the router's web interface from WAN, ensuring administration is only possible from trusted LAN segments, (2) disable PPTP VPN server functionality if not actively required for business operations (eliminates vulnerable code path), (3) place router behind additional network segmentation if managing sensitive networks, (4) consider hardware replacement with actively maintained router firmware (OpenWrt, manufacturer with defined EOL/security update policy). For enterprise deployments: implement network-based protections blocking external access to ports 80/443/8080 on router management interfaces. Trade-offs: disabling remote management prevents legitimate remote administration; disabling PPTP impacts users requiring VPN access (migrate to more secure protocols like WireGuard/OpenVPN if possible); hardware replacement incurs capital cost but eliminates ongoing vulnerability exposure in unmaintained firmware.
Same weakness CWE-77 – Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25961