Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
A vulnerability was identified in Totolink A8000RU 7.1cu.643_b20200521. Impacted is the function setLanguageCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Such manipulation of the argument lang leads to os command injection. The attack may be performed from remote. The exploit is publicly available and might be used.
AnalysisAI
OS command injection in the Totolink A8000RU router (firmware 7.1cu.643_b20200521) allows remote unauthenticated attackers to execute arbitrary operating system commands through the setLanguageCfg function in /cgi-bin/cstecgi.cgi. The flaw is triggered by manipulating the lang argument in the Web Management Interface, with publicly available exploit code existing and SSVC classifying the issue as automatable with total technical impact. EPSS sits at 0.89% (76th percentile), indicating moderate but non-trivial exploitation probability.
Technical ContextAI
The affected component is the cstecgi.cgi binary, a common CGI handler in Totolink router firmware that dispatches Web Management Interface requests to internal handler functions such as setLanguageCfg. The root cause is CWE-78 (Improper Neutralization of Special Elements used in an OS Command), meaning the lang parameter value is concatenated into a shell command without proper sanitization or use of safe execution primitives. Per the CPE (cpe:2.3:a:totolink:a8000ru), the vulnerability lives in the embedded firmware web stack of the A8000RU gigabit router, where CGI handlers typically run with root privileges, giving any successful command injection full system control.
RemediationAI
No vendor-released patch identified at time of analysis - the references point only to VulDB tracking entries, a public exploit write-up at https://github.com/Litengzheng/vuldb_new2/blob/main/A8000RU/vul_333/README.md, and the Totolink vendor site (https://www.totolink.net/) without a specific firmware fix advisory, so administrators should check Totolink's support portal for an updated firmware build superseding 7.1cu.643_b20200521. As compensating controls, disable remote (WAN-side) web management on the A8000RU so /cgi-bin/cstecgi.cgi is not reachable from the internet (trade-off: loss of remote admin convenience), restrict LAN-side access to the admin interface using ACLs or VLAN segmentation to trusted management hosts only (trade-off: added operational complexity for legitimate admins), and place the device behind a reverse proxy or firewall that blocks requests containing shell metacharacters in the lang parameter of cstecgi.cgi (trade-off: may break legitimate language switching). Consider replacing the device if no firmware update is forthcoming.
OS command injection in Totolink A8000RU router firmware 7.1cu.643_b20200521 allows remote unauthenticated attackers to
OS command injection in the Totolink A8000RU router (firmware 7.1cu.643_b20200521) allows remote unauthenticated attacke
OS command injection in the Totolink A8000RU router (firmware 7.1cu.643_b20200521) allows remote unauthenticated attacke
OS command injection in the Totolink A8000RU router (firmware 7.1cu.643_b20200521) allows remote unauthenticated attacke
OS command injection in the Totolink A8000RU router (firmware 7.1cu.643_b20200521) allows unauthenticated remote attacke
Remote OS command injection in the Totolink A8000RU router (firmware 7.1cu.643_b20200521) allows unauthenticated attacke
OS command injection in Totolink A8000RU router firmware 7.1cu.643_b20200521 allows remote unauthenticated attackers to
Remote OS command injection in TOTOLINK A8000RU router firmware 7.1cu.643_b20200521 allows unauthenticated attackers to
OS command injection in TOTOLINK A8000RU router firmware 7.1cu.643_b20200521 allows remote unauthenticated attackers to
OS command injection in the Totolink A8000RU router (firmware 7.1cu.643_b20200521) allows remote unauthenticated attacke
OS command injection in Totolink A8000RU router firmware 7.1cu.643_b20200521 allows remote unauthenticated attackers to
OS command injection in the Totolink A8000RU router (firmware 7.1cu.643_b20200521) allows unauthenticated remote attacke
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31546
GHSA-p623-gg4q-6fv7