Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
A vulnerability was found in Totolink A8000RU 7.1cu.643_b20200521. This issue affects the function setWiFiBasicCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Performing a manipulation of the argument wifiOff results in os command injection. The attack is possible to be carried out remotely. The exploit has been made public and could be used.
AnalysisAI
Remote command injection in Totolink A8000RU firmware 7.1cu.643_b20200521 allows unauthenticated attackers to execute arbitrary OS commands via the wifiOff parameter in setWiFiBasicCfg function. The vulnerability has a publicly available exploit (PoC on GitHub) and achieves full system compromise with network-accessible attack vector requiring no authentication or user interaction. EPSS data not available, but CVSS 8.9 (Critical) with exploitability confirmed (E:P) indicates immediate patching priority for exposed devices.
Technical ContextAI
This is a classic OS command injection vulnerability (CWE-77) in the CGI handler of a consumer WiFi router. The setWiFiBasicCfg function in /cgi-bin/cstecgi.cgi fails to sanitize the wifiOff parameter before passing it to system shell commands. CGI (Common Gateway Interface) scripts in embedded devices often use shell execution for configuration changes, and inadequate input validation allows attackers to break out of intended commands by injecting shell metacharacters (semicolons, pipes, backticks). The affected component is the router's web management interface, which processes WiFi configuration requests. Totolink A8000RU is a consumer-grade wireless router running proprietary firmware based on embedded Linux.
RemediationAI
Check Totolink vendor website (https://www.totolink.net/) for firmware updates newer than version 7.1cu.643_b20200521 that address CVE-2026-7241. No vendor-released patch version is confirmed in available data at time of analysis. If no patch is available, implement these compensating controls: (1) Disable remote administration access from WAN interfaces - restrict management interface access to LAN-only or specific trusted IP ranges via firewall rules (trade-off: remote management capability lost). (2) Place router management interface on isolated VLAN accessible only from privileged administrative workstations (requires VLAN-capable network infrastructure). (3) Deploy network-based IPS signatures to detect command injection patterns in HTTP requests to /cgi-bin/cstecgi.cgi (trade-off: potential for false positives blocking legitimate WiFi configuration changes). (4) If device is internet-facing by necessity, place behind additional firewall that terminates external connections and proxies only essential services. For full details on the vulnerability and potential indicators of compromise, reference the researcher disclosure at https://github.com/Litengzheng/vuldb_new2/blob/main/A8000RU/vul_325/README.md and VulDB entries at https://vuldb.com/vuln/359848.
Same weakness CWE-77 – Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26014