Skip to main content

Totolink A8000RU CVE-2026-7244

| EUVDEUVD-2026-26017 HIGH
Command Injection (CWE-77)
2026-04-28 cna@vuldb.com
8.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.9 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Re-analysis Queued
Apr 28, 2026 - 20:38 vuln.today
cvss_changed
Analysis Generated
Apr 28, 2026 - 09:31 vuln.today
EUVD ID Assigned
Apr 28, 2026 - 09:22 euvd
EUVD-2026-26017
Analysis Generated
Apr 28, 2026 - 09:22 vuln.today
CVE Published
Apr 28, 2026 - 09:16 nvd
HIGH 8.9

DescriptionCVE.org

A security flaw has been discovered in Totolink A8000RU 7.1cu.643_b20200521. The impacted element is the function setWiFiEasyGuestCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument merge results in os command injection. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks.

AnalysisAI

Remote unauthenticated command injection in Totolink A8000RU 7.1cu.643_b20200521 allows complete device compromise via crafted requests to the WiFi Guest Configuration CGI handler. Attackers can inject arbitrary OS commands through the 'merge' parameter in setWiFiEasyGuestCfg function at /cgi-bin/cstecgi.cgi, achieving full system control without authentication. Public exploit code exists (confirmed by CVSS E:P and GitHub POC reference), significantly lowering the barrier to exploitation. EPSS data not available, but the combination of network attack vector, no authentication requirement, low complexity, and publicly available exploit indicates elevated real-world risk for internet-facing devices.

Technical ContextAI

This vulnerability affects the CGI (Common Gateway Interface) handler component of the Totolink A8000RU router firmware, specifically within the setWiFiEasyGuestCfg function that manages guest WiFi network configuration. The flaw is classified as CWE-77 (Command Injection), where improper neutralization of special elements allows attackers to inject OS commands through the 'merge' parameter. The CGI script at /cgi-bin/cstecgi.cgi fails to sanitize user-supplied input before passing it to system command execution functions, enabling arbitrary command execution with the privileges of the web server process (typically root on embedded devices). This represents a classic server-side injection vulnerability in legacy router firmware where input validation is absent or insufficient in administrative functions.

RemediationAI

Check for firmware updates newer than 7.1cu.643_b20200521 at the official Totolink website (https://www.totolink.net/) and apply the latest available firmware if a patched version exists. No vendor-released patch version was confirmed in available data at time of analysis. If firmware updates are unavailable or cannot be applied immediately, implement network-level compensating controls: disable remote administration features entirely if not required, restrict access to /cgi-bin/cstecgi.cgi and all administrative interfaces to trusted internal IP addresses only via router ACLs or upstream firewall rules (note: this prevents remote exploitation but allows attacks from compromised internal hosts), disable the WiFi Easy Guest Configuration feature if not operationally necessary (this removes the vulnerable attack surface but eliminates guest network quick-setup functionality), and place the device behind a dedicated firewall that blocks all inbound connections to router management ports. Consider replacing the device if vendor support has been discontinued and no security updates are forthcoming. For enterprise deployments, isolate affected devices on a dedicated management VLAN with strict access controls until remediation is completed.

Share

CVE-2026-7244 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy