Critical Command Injection Flaws Expose Totolink A8000RU Routers to Remote RCE
Three critical vulnerabilities, CVE-2026-7121, CVE-2026-7122, and CVE-2026-7125, were disclosed in the Totolink A8000RU router running firmware 7.1cu.643_b20200521, all affecting the /cgi-bin/cstecgi.cgi CGI handler. The flaws are OS command injection issues in the setWizardCfg, setUPnPCfg, and setWiFiEasyCfg functions, where crafted input to the wizard, enable, and merge arguments can trigger command execution on the device. The vulnerabilities are mapped to CWE-78 and CWE-77 and were rated critical across CVSS v2, CVSS v3.1, and CVSS v4.0 scoring schemes.
All three issues are remotely exploitable over the network and require no privileges and no user interaction, creating a high-risk exposure for internet-accessible devices. Public exploit information has already been disclosed, with references including VulDB entries and a GitHub proof-of-concept, increasing the likelihood of near-term exploitation. The disclosures indicate that multiple administrative configuration paths in the router's web interface can be abused for remote code execution, making unpatched A8000RU systems a priority for immediate review and remediation.
Timeline
Apr 27, 2026
CVE-2026-7152 published for Totolink A8000RU setTelnetCfg command injection
On 2026-04-27, a new CVE record, CVE-2026-7152, was published for a remotely exploitable OS command injection flaw in the setTelnetCfg function of /cgi-bin/cstecgi.cgi on Totolink A8000RU firmware 7.1cu.643_b20200521. The issue can be triggered via the telnet_enabled argument and public exploit information was reported as available.
Apr 27, 2026
CVE-2026-7121, CVE-2026-7122, and CVE-2026-7125 entries were published
On April 27, 2026, new CVE records were published for three critical Totolink A8000RU vulnerabilities: CVE-2026-7121, CVE-2026-7122, and CVE-2026-7125. The entries classified the issues under CWE-77/CWE-78 and assigned critical severity across CVSS v2, v3.1, and v4.0.
Apr 27, 2026
Public exploits disclosed for three Totolink A8000RU command injection flaws
Public exploit information was available for three remotely exploitable OS command injection issues in Totolink A8000RU firmware 7.1cu.643_b20200521, affecting the setWizardCfg, setUPnPCfg, and setWiFiEasyCfg functions in /cgi-bin/cstecgi.cgi. The flaws require no privileges or user interaction and enable remote command execution via crafted CGI parameters.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Affected Products
Sources
Related Stories
Critical Command Injection Flaws Expose Totolink A7100RU and A8000RU Routers
Two Totolink router models, **A7100RU** and **A8000RU**, were disclosed with critical OS command injection vulnerabilities in the CGI handler endpoint `/cgi-bin/cstecgi.cgi`. The flaws affect the `setVpnPassCfg` function and stem from improper handling of the `pptpPassThru` argument, allowing attackers to inject operating system commands remotely. The issues were assigned **CVE-2026-5850** for the A7100RU running firmware `7.4cu.2313_b20191024` and **CVE-2026-7037** for the A8000RU running firmware `7.1cu.643_b20200521`. Both vulnerabilities are classified under **CWE-78** and **CWE-77**, and were reported as remotely exploitable without privileges or user interaction. The disclosures indicate that **public exploits are available**, materially raising the risk of opportunistic compromise of exposed devices. Severity scoring across **CVSS v2**, **CVSS v3.1**, and **CVSS v4.0** places the flaws at critical or maximum-impact levels, making internet-facing Totolink routers running the affected firmware high-priority targets for remediation or isolation.
1 weeks ago
Unauthenticated Command Injection Flaws Disclosed in Totolink A7100RU Router
Two critical vulnerabilities, **CVE-2026-5851** and **CVE-2026-5976**, were disclosed in the **Totolink A7100RU** router running firmware `7.4cu.2313_b20191024`, exposing the device to remote **OS command injection** without authentication or user interaction. Both flaws affect `/cgi-bin/cstecgi.cgi` in the router's CGI handler: CVE-2026-5851 is tied to the `setUPnPCfg` function through the `enable` argument, while CVE-2026-5976 affects the `setStorageCfg` function through the `sambaEnabled` argument. The vulnerabilities were classified under **CWE-78** and **CWE-77** and were assigned high to critical severity across CVSS versions, reflecting potential compromise of confidentiality, integrity, and availability. Public exploit information has reportedly been released, including references to **VulDB** and a **GitHub** disclosure repository, increasing the likelihood of exploitation against exposed devices that have not been updated or otherwise mitigated.
2 weeks ago
Publicly Exploitable Command Injection Flaws Disclosed in Totolink A3300R Router
Two high-severity command injection vulnerabilities have been disclosed in the **Totolink A3300R** router, both affecting firmware version `17.0.0cu.557_b20221024` and exposing the device to remote code execution through `/cgi-bin/cstecgi.cgi`. The flaws are tracked as **`CVE-2026-5104`** and **`CVE-2026-5101`**. `CVE-2026-5104` affects the `setStaticRoute` function, where manipulation of the `ip` argument can trigger command injection, while `CVE-2026-5101` affects the `setLanCfg` function in the Parameter Handler component through the `lanIp` argument. Public exploit material has been disclosed for both issues, according to VulDB and referenced advisory material, raising the risk of active abuse against exposed devices. NVD subsequently added initial analysis for the CVEs, assigning higher **CVSS v3.1** severity assessments than the original CNA submissions and mapping the weaknesses to **`CWE-77`**, **`CWE-74`**, and **`CWE-78`**. The disclosures indicate that attackers could remotely inject operating system commands via crafted requests, making patching, exposure reduction, and monitoring of internet-facing Totolink A3300R systems urgent priorities.
1 weeks ago