Skip to main content

Totolink A8000RU CVE-2026-7204

| EUVDEUVD-2026-25961 HIGH
Command Injection (CWE-77)
2026-04-28 cna@vuldb.com
8.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.9 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Re-analysis Queued
Apr 28, 2026 - 20:38 vuln.today
cvss_changed
Analysis Generated
Apr 28, 2026 - 01:31 vuln.today
EUVD ID Assigned
Apr 28, 2026 - 01:22 euvd
EUVD-2026-25961
Analysis Generated
Apr 28, 2026 - 01:22 vuln.today
CVE Published
Apr 28, 2026 - 01:16 nvd
HIGH 8.9

DescriptionCVE.org

A vulnerability was determined in Totolink A8000RU 7.1cu.643_b20200521. This issue affects the function setPptpServerCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. This manipulation of the argument enable causes os command injection. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized.

AnalysisAI

Remote command injection in Totolink A8000RU router firmware 7.1cu.643_b20200521 allows unauthenticated attackers to execute arbitrary OS commands via the 'enable' parameter in setPptpServerCfg function of /cgi-bin/cstecgi.cgi. Public exploit code exists (GitHub POC available), enabling trivial remote compromise without authentication or user interaction. CVSS v4.0 score of 8.9 reflects maximum impact on confidentiality, integrity, and availability. No EPSS data or CISA KEV status available, but publicly documented POC substantially lowers exploitation barrier for this home/small office router platform.

Technical ContextAI

This vulnerability exploits CWE-77 (Command Injection) in the CGI handler component of Totolink A8000RU wireless router firmware. The setPptpServerCfg function, which manages PPTP VPN server configuration at /cgi-bin/cstecgi.cgi, fails to properly sanitize the 'enable' parameter before passing it to system shell commands. CGI (Common Gateway Interface) scripts in embedded devices frequently suffer from insufficient input validation when translating HTTP parameters into system-level operations. The affected firmware version (7.1cu.643_b20200521, released May 2021) processes PPTP server configuration requests without validating whether user-supplied data contains shell metacharacters, allowing attackers to break out of intended command context and execute arbitrary operating system commands with the privileges of the web server process (typically root on embedded routers).

RemediationAI

Check Totolink vendor website (https://www.totolink.net/) and support portal for firmware updates released after May 2020 addressing CVE-2026-7204 or command injection in CGI handlers - no specific patched version confirmed in available data. If firmware updates are unavailable or device is end-of-life: (1) disable remote management access to the router's web interface from WAN, ensuring administration is only possible from trusted LAN segments, (2) disable PPTP VPN server functionality if not actively required for business operations (eliminates vulnerable code path), (3) place router behind additional network segmentation if managing sensitive networks, (4) consider hardware replacement with actively maintained router firmware (OpenWrt, manufacturer with defined EOL/security update policy). For enterprise deployments: implement network-based protections blocking external access to ports 80/443/8080 on router management interfaces. Trade-offs: disabling remote management prevents legitimate remote administration; disabling PPTP impacts users requiring VPN access (migrate to more secure protocols like WireGuard/OpenVPN if possible); hardware replacement incurs capital cost but eliminates ongoing vulnerability exposure in unmaintained firmware.

Share

CVE-2026-7204 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy