Skip to main content

Totolink A8000RU EUVDEUVD-2026-25839

| CVE-2026-7123 HIGH
OS Command Injection (CWE-78)
2026-04-27 VulDB
8.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.9 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

8
Re-analysis Queued
Apr 27, 2026 - 18:37 vuln.today
cvss_changed
PoC Detected
Apr 27, 2026 - 18:36 vuln.today
Public exploit code
Analysis Generated
Apr 27, 2026 - 13:30 vuln.today
Severity Changed
Apr 27, 2026 - 13:22 NVD
CRITICAL HIGH
CVSS changed
Apr 27, 2026 - 13:22 NVD
9.8 (CRITICAL) 8.9 (HIGH)
EUVD ID Assigned
Apr 27, 2026 - 13:00 euvd
EUVD-2026-25839
Analysis Generated
Apr 27, 2026 - 13:00 vuln.today
CVE Published
Apr 27, 2026 - 12:15 nvd
HIGH 8.9

DescriptionCVE.org

A vulnerability was found in Totolink A8000RU 7.1cu.643_b20200521. Affected is the function setIptvCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Performing a manipulation of the argument setIptvCfg results in os command injection. The attack can be initiated remotely. The exploit has been made public and could be used.

AnalysisAI

OS command injection in Totolink A8000RU router firmware 7.1cu.643_b20200521 allows remote unauthenticated attackers to execute arbitrary system commands via the setIptvCfg parameter in /cgi-bin/cstecgi.cgi. CVSS 8.9 (Critical) with network attack vector and no authentication required. Public exploit code available on GitHub since disclosure, significantly lowering exploitation barrier for attackers targeting internet-facing consumer routers. No vendor patch identified for this end-of-life device at time of analysis.

Technical ContextAI

This vulnerability affects the CGI-based web management interface of Totolink A8000RU wireless router, specifically the setIptvCfg function within the /cgi-bin/cstecgi.cgi handler used for IPTV configuration. The root cause is CWE-78 (OS Command Injection), where user-supplied input to the setIptvCfg argument is passed unsanitized to system shell commands. CGI scripts in embedded router firmware frequently suffer from inadequate input validation because they execute with elevated privileges and directly interact with system commands for device configuration. The affected product runs a Linux-based embedded operating system typical of consumer routers, where command injection in web interfaces often leads to full device compromise since web services run as root or with equivalent privileges.

RemediationAI

No vendor-released patch identified at time of analysis for Totolink A8000RU firmware 7.1cu.643_b20200521. Check Totolink vendor site (https://www.totolink.net/) for firmware updates newer than the May 2020 build, though device appears end-of-life. If no patch available, implement network-level compensating controls immediately: (1) Disable remote management access by configuring the router to block WAN-side access to administrative interfaces on TCP ports 80 and 443, accepting the trade-off of local-only administration; (2) Place the router behind a perimeter firewall and restrict management access to specific trusted IP addresses via ACLs, which may complicate remote support scenarios; (3) If IPTV functionality (the attack surface for setIptvCfg) is not required for your deployment, disable it entirely in the router configuration to eliminate this attack vector, noting this breaks IPTV services. For environments where these mitigations are insufficient, hardware replacement with actively supported router firmware (from vendors with established security update programs) is recommended given the device's apparent end-of-life status and critical severity of unauthenticated RCE.

CVE-2026-9436 HIGH POC
8.9 May 25

OS command injection in Totolink A8000RU router firmware 7.1cu.643_b20200521 allows remote unauthenticated attackers to

CVE-2026-9478 HIGH POC
8.9 May 25

OS command injection in the Totolink A8000RU router (firmware 7.1cu.643_b20200521) allows remote unauthenticated attacke

CVE-2026-9477 HIGH POC
8.9 May 25

OS command injection in the Totolink A8000RU router (firmware 7.1cu.643_b20200521) allows remote unauthenticated attacke

CVE-2026-9476 HIGH POC
8.9 May 25

OS command injection in the Totolink A8000RU router (firmware 7.1cu.643_b20200521) allows remote unauthenticated attacke

CVE-2026-9475 HIGH POC
8.9 May 25

OS command injection in the Totolink A8000RU router (firmware 7.1cu.643_b20200521) allows unauthenticated remote attacke

CVE-2026-9458 HIGH POC
8.9 May 25

Remote OS command injection in the Totolink A8000RU router (firmware 7.1cu.643_b20200521) allows unauthenticated attacke

CVE-2026-9457 HIGH POC
8.9 May 25

OS command injection in Totolink A8000RU router firmware 7.1cu.643_b20200521 allows remote unauthenticated attackers to

CVE-2026-9456 HIGH POC
8.9 May 25

Remote OS command injection in TOTOLINK A8000RU router firmware 7.1cu.643_b20200521 allows unauthenticated attackers to

CVE-2026-9455 HIGH POC
8.9 May 25

OS command injection in TOTOLINK A8000RU router firmware 7.1cu.643_b20200521 allows remote unauthenticated attackers to

CVE-2026-9454 HIGH POC
8.9 May 25

OS command injection in the Totolink A8000RU router (firmware 7.1cu.643_b20200521) allows remote unauthenticated attacke

CVE-2026-9435 HIGH POC
8.9 May 25

OS command injection in Totolink A8000RU router firmware 7.1cu.643_b20200521 allows remote unauthenticated attackers to

CVE-2026-9434 HIGH POC
8.9 May 25

OS command injection in the Totolink A8000RU router (firmware 7.1cu.643_b20200521) allows unauthenticated remote attacke

Share

EUVD-2026-25839 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy