Skip to main content

Totolink A8000RU CVE-2026-7243

| EUVDEUVD-2026-26016 HIGH
Command Injection (CWE-77)
2026-04-28 cna@vuldb.com
8.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.9 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Re-analysis Queued
Apr 28, 2026 - 20:38 vuln.today
cvss_changed
Analysis Generated
Apr 28, 2026 - 09:31 vuln.today
EUVD ID Assigned
Apr 28, 2026 - 09:22 euvd
EUVD-2026-26016
Analysis Generated
Apr 28, 2026 - 09:22 vuln.today
CVE Published
Apr 28, 2026 - 09:16 nvd
HIGH 8.9

DescriptionCVE.org

A vulnerability was identified in Totolink A8000RU 7.1cu.643_b20200521. The affected element is the function setRadvdCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument maxRtrAdvInterval leads to os command injection. It is possible to initiate the attack remotely. The exploit is publicly available and might be used.

AnalysisAI

Remote unauthenticated command injection in Totolink A8000RU 7.1cu.643_b20200521 allows attackers to execute arbitrary OS commands via the maxRtrAdvInterval parameter in the setRadvdCfg function of /cgi-bin/cstecgi.cgi. Public exploit code exists per VulDB submission, enabling immediate weaponization against exposed devices. CVSS 8.9 reflects network accessibility, no authentication requirement, and high impact across confidentiality, integrity, and availability - attack complexity is low with no user interaction needed, making this a critical priority for internet-facing Totolink routers.

Technical ContextAI

This vulnerability affects the CGI handler implementation in Totolink A8000RU firmware version 7.1cu.643_b20200521. The setRadvdCfg function processes router advertisement daemon (radvd) configuration parameters for IPv6 routing. The maxRtrAdvInterval parameter, which controls the maximum interval between router advertisements, is improperly sanitized before being passed to OS-level command execution. CWE-77 (OS Command Injection) indicates insufficient neutralization of special characters, allowing shell metacharacters to break out of the intended command context and execute arbitrary system commands with the privileges of the web server process, typically root on embedded router platforms.

RemediationAI

Check Totolink vendor site (https://www.totolink.net/) for firmware updates newer than 7.1cu.643_b20200521 addressing CVE-2026-7243. No vendor security advisory or patched firmware version identified in available references at time of analysis. Immediate compensating controls: (1) Remove A8000RU devices from direct internet exposure - place behind firewall with no port forwarding to management interface on TCP 80/443; trade-off is loss of remote administration capability. (2) Disable CGI-based administration if alternative management interface exists (SSH, Telnet if credentials are strong); reduces attack surface but may limit configuration options. (3) Implement network ACLs restricting /cgi-bin/ access to specific trusted administrator IP addresses only; requires static IP or VPN for admins. (4) If IPv6 radvd configuration is not required for network operation, disable IPv6 router advertisement functionality entirely to remove the vulnerable code path; breaks IPv6 auto-configuration for clients. Monitor vendor security advisories and apply firmware updates immediately upon release. Do NOT rely on changing admin passwords alone - this is unauthenticated command injection bypassing credential checks.

Share

CVE-2026-7243 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy