This is a critical remote code execution vulnerability in the CGI handler of Totolink A8000RU wireless routers. The flaw occurs in the setVpnPassCfg function, where improper input validation of the pptpPassThru argument allows for arbitrary OS command injection. Attackers can exploit this issue remotely without authentication to take full control of affected devices.
Remediation
No official vendor patch is currently available for this vulnerability. Organizations should restrict public access to the affected router's /cgi-bin/cstecgi.cgi endpoint. If the device is no longer supported, replace it with a maintained alternative to eliminate the risk.
Exploit info
This exploit has been publicly disclosed, with references to this issue documented in trusted public vulnerability databases. You may check Exploit-DB or GitHub for potential exploit details.
TopVuln sends digest emails with high-risk CVE picks across multiple authoritative sources—curated with EPSS and AI. Choose daily per-stream emails and optional weekly or monthly roundups.