Totolink A8000RU CGI cstecgi.cgi setVpnAccountCfg os command injection
Details
CVSS v3
9.8
CVSS v4
8.9
CVSS v2
10.0
NVD published
2026-04-28 08:16:02
EPSS
1.2% probability · 79.5th percentile — 2026-05-12
Affected versions
Totolink A8000RU firmware version 7.1cu.643_b20200521
Summary
This is an unauthenticated remote OS command injection vulnerability in the management interface of Totolink A8000RU wireless routers. The flaw exists in the setVpnAccountCfg function of the /cgi-bin/cstecgi.cgi endpoint, allowing attackers to inject and execute arbitrary OS commands via a maliciously crafted request. The exploit has been publicly disclosed and can be abused by threat actors.
Remediation
Check for and install the latest official firmware update from Totolink to address this command injection vulnerability. If no firmware update is available, restrict access to the router's management interface from public networks and untrusted clients.
Exploit info
This exploit has been publicly disclosed, with references to this issue documented in trusted public vulnerability databases. You may check Exploit-DB or GitHub for potential exploit details.
TopVuln sends digest emails with high-risk CVE picks across multiple authoritative sources—curated with EPSS and AI. Choose daily per-stream emails and optional weekly or monthly roundups.