Totolink A8000RU cstecgi.cgi setAppFilterCfg os command injection
Details
CVSS v3
9.8
CVSS v4
9.3
CVSS v2
10.0
EPSS
1.2% probability · 79.5th percentile — 2026-05-12
Affected versions
Totolink A8000RU firmware 7.1cu.643_b20200521
Summary
This is an unauthenticated OS command injection vulnerability in the Totolink A8000RU wireless router firmware. The flaw exists in the setAppFilterCfg function of the cstecgi.cgi endpoint, where improper input validation allows attackers to inject arbitrary operating system commands. A public exploit has already been released for this vulnerability, enabling remote attackers to compromise affected devices.
Remediation
Install the latest available firmware update from Totolink for the A8000RU model to address this vulnerability. If no official patch is available, restrict router management interface access to trusted internal networks only and do not expose the interface to the public internet. Replace end-of-life affected devices if no further security updates will be released.
Exploit info
This exploit has been publicly disclosed, with references to this issue documented in trusted public vulnerability databases. You may check Exploit-DB or GitHub for potential exploit details.
TopVuln sends digest emails with high-risk CVE picks across multiple authoritative sources—curated with EPSS and AI. Choose daily per-stream emails and optional weekly or monthly roundups.