Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
A vulnerability was determined in Totolink A8000RU 7.1cu.643_b20200521. The affected element is the function UploadFirmwareFile of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. This manipulation of the argument FileName causes os command injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized.
AnalysisAI
OS command injection in Totolink A8000RU router firmware 7.1cu.643_b20200521 allows remote unauthenticated attackers to execute arbitrary operating system commands by manipulating the FileName argument in the UploadFirmwareFile function of /cgi-bin/cstecgi.cgi. Publicly available exploit code exists per VulDB reporting, and SSVC rates this as automatable with total technical impact, though EPSS remains modest at 0.89% (76th percentile) indicating no broad mass-exploitation campaign yet observed.
Technical ContextAI
The affected component is the Web Management Interface CGI handler (cstecgi.cgi) on the Totolink A8000RU, a consumer/SOHO router. CWE-78 (Improper Neutralization of Special Elements used in an OS Command) applies because the UploadFirmwareFile function passes the user-supplied FileName parameter into a shell or system() call without proper sanitization, allowing shell metacharacters to break out of the intended command context. CPE cpe:2.3:a:totolink:a8000ru:*:*:*:*:*:*:*:* identifies the affected device family, with EUVD specifically pinning firmware build 7.1cu.643_b20200521. Totolink's cstecgi.cgi binary is a well-known recurring source of command injection issues across the vendor's product line.
RemediationAI
No vendor-released patch identified at time of analysis - Totolink has not published a fixed firmware version in the references provided, and the only advisories are third-party (VulDB) submissions. Until the vendor issues an updated firmware build, administrators should disable remote (WAN-side) access to the Web Management Interface entirely, restrict LAN-side access to the /cgi-bin/cstecgi.cgi endpoint via firewall ACLs to a dedicated management host or VLAN, and segment the router away from untrusted clients (IoT, guest Wi-Fi); the trade-off is loss of convenient remote administration and added complexity for legitimate admins. Monitor https://www.totolink.net/ and https://vuldb.com/vuln/365438 for an updated firmware release, and as a longer-term control consider replacing the device with a model receiving active security support if no patch materializes.
OS command injection in Totolink A8000RU router firmware 7.1cu.643_b20200521 allows remote unauthenticated attackers to
OS command injection in the Totolink A8000RU router (firmware 7.1cu.643_b20200521) allows remote unauthenticated attacke
OS command injection in the Totolink A8000RU router (firmware 7.1cu.643_b20200521) allows remote unauthenticated attacke
OS command injection in the Totolink A8000RU router (firmware 7.1cu.643_b20200521) allows remote unauthenticated attacke
OS command injection in the Totolink A8000RU router (firmware 7.1cu.643_b20200521) allows unauthenticated remote attacke
Remote OS command injection in the Totolink A8000RU router (firmware 7.1cu.643_b20200521) allows unauthenticated attacke
Remote OS command injection in TOTOLINK A8000RU router firmware 7.1cu.643_b20200521 allows unauthenticated attackers to
OS command injection in TOTOLINK A8000RU router firmware 7.1cu.643_b20200521 allows remote unauthenticated attackers to
OS command injection in the Totolink A8000RU router (firmware 7.1cu.643_b20200521) allows remote unauthenticated attacke
OS command injection in Totolink A8000RU router firmware 7.1cu.643_b20200521 allows remote unauthenticated attackers to
OS command injection in the Totolink A8000RU router (firmware 7.1cu.643_b20200521) allows unauthenticated remote attacke
OS command injection in the Totolink A8000RU router (firmware 7.1cu.643_b20200521) allows remote unauthenticated attacke
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31677
GHSA-87p8-wpqj-3j8j