Skip to main content

Totolink A8000RU EUVDEUVD-2026-25835

| CVE-2026-7121 HIGH
Command Injection (CWE-77)
2026-04-27 cna@vuldb.com
8.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.9 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Re-analysis Queued
Apr 27, 2026 - 18:37 vuln.today
cvss_changed
Analysis Generated
Apr 27, 2026 - 12:30 vuln.today
EUVD ID Assigned
Apr 27, 2026 - 12:22 euvd
EUVD-2026-25835
Analysis Generated
Apr 27, 2026 - 12:22 vuln.today
CVE Published
Apr 27, 2026 - 12:16 nvd
HIGH 8.9

DescriptionCVE.org

A flaw has been found in Totolink A8000RU 7.1cu.643_b20200521. This affects the function setWizardCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. This manipulation of the argument wizard causes os command injection. It is possible to initiate the attack remotely. The exploit has been published and may be used.

AnalysisAI

OS command injection in Totolink A8000RU 7.1cu.643_b20200521 allows remote unauthenticated attackers to execute arbitrary system commands via the 'wizard' parameter in the setWizardCfg function of /cgi-bin/cstecgi.cgi. Public exploit code exists (CVSS E:P), significantly lowering the barrier to exploitation. EPSS data not available, but the combination of network attack vector (AV:N), no authentication (PR:N), low complexity (AC:L), and published POC indicates elevated real-world risk for internet-exposed devices.

Technical ContextAI

This is a classic OS command injection vulnerability (CWE-77) in the CGI handler of a consumer wireless router. The setWizardCfg function in /cgi-bin/cstecgi.cgi fails to properly sanitize the 'wizard' parameter before passing it to a system shell command. CGI scripts in embedded devices often use shell execution for configuration tasks, and insufficient input validation allows attackers to inject shell metacharacters (e.g., semicolons, pipes, backticks) to append arbitrary commands. The affected product is Totolink A8000RU firmware version 7.1cu.643_b20200521, a consumer-grade wireless router. Command injection flaws are particularly severe in routers because they run with root/administrator privileges and provide network positioning for lateral movement.

RemediationAI

Check for firmware updates from Totolink at https://www.totolink.net/ and upgrade to the latest available version if a patched release exists (specific fix version not identified in available data at time of analysis). If no patch is available, implement network-level compensating controls: disable remote management access from WAN interfaces, restrict web administration to trusted LAN IP addresses only via router ACLs, change default admin credentials to strong unique passwords, and deploy the router behind a firewall that blocks inbound connections to TCP ports 80/443/8080 on the router's WAN interface. For enterprise environments, consider replacing the device with enterprise-grade equipment that receives active security updates. Note that disabling the setup wizard feature may not be sufficient as the vulnerable CGI endpoint may remain accessible. Blocking external access trades off remote management convenience but is essential until a patch is confirmed.

Share

EUVD-2026-25835 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy