Skip to main content

Totolink A8000RU EUVDEUVD-2026-26014

| CVE-2026-7241 HIGH
Command Injection (CWE-77)
2026-04-28 cna@vuldb.com
8.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.9 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Re-analysis Queued
Apr 28, 2026 - 20:38 vuln.today
cvss_changed
Analysis Generated
Apr 28, 2026 - 09:30 vuln.today
EUVD ID Assigned
Apr 28, 2026 - 09:22 euvd
EUVD-2026-26014
Analysis Generated
Apr 28, 2026 - 09:22 vuln.today
CVE Published
Apr 28, 2026 - 09:16 nvd
HIGH 8.9

DescriptionCVE.org

A vulnerability was found in Totolink A8000RU 7.1cu.643_b20200521. This issue affects the function setWiFiBasicCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Performing a manipulation of the argument wifiOff results in os command injection. The attack is possible to be carried out remotely. The exploit has been made public and could be used.

AnalysisAI

Remote command injection in Totolink A8000RU firmware 7.1cu.643_b20200521 allows unauthenticated attackers to execute arbitrary OS commands via the wifiOff parameter in setWiFiBasicCfg function. The vulnerability has a publicly available exploit (PoC on GitHub) and achieves full system compromise with network-accessible attack vector requiring no authentication or user interaction. EPSS data not available, but CVSS 8.9 (Critical) with exploitability confirmed (E:P) indicates immediate patching priority for exposed devices.

Technical ContextAI

This is a classic OS command injection vulnerability (CWE-77) in the CGI handler of a consumer WiFi router. The setWiFiBasicCfg function in /cgi-bin/cstecgi.cgi fails to sanitize the wifiOff parameter before passing it to system shell commands. CGI (Common Gateway Interface) scripts in embedded devices often use shell execution for configuration changes, and inadequate input validation allows attackers to break out of intended commands by injecting shell metacharacters (semicolons, pipes, backticks). The affected component is the router's web management interface, which processes WiFi configuration requests. Totolink A8000RU is a consumer-grade wireless router running proprietary firmware based on embedded Linux.

RemediationAI

Check Totolink vendor website (https://www.totolink.net/) for firmware updates newer than version 7.1cu.643_b20200521 that address CVE-2026-7241. No vendor-released patch version is confirmed in available data at time of analysis. If no patch is available, implement these compensating controls: (1) Disable remote administration access from WAN interfaces - restrict management interface access to LAN-only or specific trusted IP ranges via firewall rules (trade-off: remote management capability lost). (2) Place router management interface on isolated VLAN accessible only from privileged administrative workstations (requires VLAN-capable network infrastructure). (3) Deploy network-based IPS signatures to detect command injection patterns in HTTP requests to /cgi-bin/cstecgi.cgi (trade-off: potential for false positives blocking legitimate WiFi configuration changes). (4) If device is internet-facing by necessity, place behind additional firewall that terminates external connections and proxies only essential services. For full details on the vulnerability and potential indicators of compromise, reference the researcher disclosure at https://github.com/Litengzheng/vuldb_new2/blob/main/A8000RU/vul_325/README.md and VulDB entries at https://vuldb.com/vuln/359848.

Share

EUVD-2026-26014 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy