Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
A security flaw has been discovered in Totolink A8000RU 7.1cu.643_b20200521. The impacted element is the function setWiFiEasyGuestCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument merge results in os command injection. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks.
AnalysisAI
Remote unauthenticated command injection in Totolink A8000RU 7.1cu.643_b20200521 allows complete device compromise via crafted requests to the WiFi Guest Configuration CGI handler. Attackers can inject arbitrary OS commands through the 'merge' parameter in setWiFiEasyGuestCfg function at /cgi-bin/cstecgi.cgi, achieving full system control without authentication. Public exploit code exists (confirmed by CVSS E:P and GitHub POC reference), significantly lowering the barrier to exploitation. EPSS data not available, but the combination of network attack vector, no authentication requirement, low complexity, and publicly available exploit indicates elevated real-world risk for internet-facing devices.
Technical ContextAI
This vulnerability affects the CGI (Common Gateway Interface) handler component of the Totolink A8000RU router firmware, specifically within the setWiFiEasyGuestCfg function that manages guest WiFi network configuration. The flaw is classified as CWE-77 (Command Injection), where improper neutralization of special elements allows attackers to inject OS commands through the 'merge' parameter. The CGI script at /cgi-bin/cstecgi.cgi fails to sanitize user-supplied input before passing it to system command execution functions, enabling arbitrary command execution with the privileges of the web server process (typically root on embedded devices). This represents a classic server-side injection vulnerability in legacy router firmware where input validation is absent or insufficient in administrative functions.
RemediationAI
Check for firmware updates newer than 7.1cu.643_b20200521 at the official Totolink website (https://www.totolink.net/) and apply the latest available firmware if a patched version exists. No vendor-released patch version was confirmed in available data at time of analysis. If firmware updates are unavailable or cannot be applied immediately, implement network-level compensating controls: disable remote administration features entirely if not required, restrict access to /cgi-bin/cstecgi.cgi and all administrative interfaces to trusted internal IP addresses only via router ACLs or upstream firewall rules (note: this prevents remote exploitation but allows attacks from compromised internal hosts), disable the WiFi Easy Guest Configuration feature if not operationally necessary (this removes the vulnerable attack surface but eliminates guest network quick-setup functionality), and place the device behind a dedicated firewall that blocks all inbound connections to router management ports. Consider replacing the device if vendor support has been discontinued and no security updates are forthcoming. For enterprise deployments, isolate affected devices on a dedicated management VLAN with strict access controls until remediation is completed.
Same weakness CWE-77 – Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26017