Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
A vulnerability was determined in Totolink A8000RU 7.1cu.643_b20200521. Impacted is the function setOpenVpnClientCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Executing a manipulation of the argument enabled can lead to os command injection. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized.
AnalysisAI
OS command injection in Totolink A8000RU router firmware 7.1cu.643_b20200521 allows unauthenticated remote attackers to execute arbitrary system commands via the setOpenVpnClientCfg function in /cgi-bin/cstecgi.cgi by manipulating the 'enabled' parameter. Public exploit code exists (disclosed on GitHub), significantly lowering the barrier to exploitation. CVSS 8.9 reflects the complete compromise potential (confidentiality, integrity, availability) without requiring authentication or user interaction, making this a critical exposure for deployed devices.
Technical ContextAI
The vulnerability stems from improper neutralization of special elements used in OS commands (CWE-77). The Totolink A8000RU router's CGI handler at /cgi-bin/cstecgi.cgi processes OpenVPN client configuration requests through the setOpenVpnClientCfg function. This function fails to sanitize the 'enabled' parameter before passing it to a system command interpreter, allowing shell metacharacters to break out of the intended command context and execute arbitrary OS commands with the privileges of the web server process (typically root on embedded router firmware). This is a classic example of command injection in legacy router firmware where user-supplied input is concatenated directly into shell commands without validation or escaping.
RemediationAI
No vendor-released patch identified at time of analysis. Totolink's official website (https://www.totolink.net/) should be monitored for firmware updates addressing CVE-2026-7242, but vendor response to disclosed vulnerabilities has historically been inconsistent. Immediate compensating controls: (1) Disable remote administration access to the router's web interface - restrict management access to local network only via router's access control settings (trade-off: eliminates remote management capability); (2) Disable OpenVPN client functionality if not actively used, as the vulnerable function is specifically in the OpenVPN client configuration handler (trade-off: loss of VPN client features); (3) Place the router behind a firewall that blocks external access to TCP ports 80/443 and any custom management ports (trade-off: adds network complexity and requires additional hardware). For high-security environments, consider replacing the device with actively maintained router firmware from vendors with established security update programs, as this 2020-era firmware version suggests the device may be end-of-life. Network segmentation should isolate the router's management plane from untrusted networks.
Same weakness CWE-77 – Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26015