Totolink A8000RU Web Management cstecgi.cgi setDiagnosisCfg os command injection
Description
A vulnerability was found in Totolink A8000RU 7.1cu.643_b20200521. This vulnerability affects the function setDiagnosisCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. The manipulation of the argument ip results in os command injection. The attack can be executed remotely. The exploit has been made public and could be used.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A command injection vulnerability in Totolink A8000RU firmware 7.1cu.643_b20200521 allows remote attackers with valid session credentials to execute arbitrary OS commands via the `ip` parameter in the `setDiagnosisCfg` function.
Vulnerability
The Totolink A8000RU router running firmware version 7.1cu.643_b20200521 contains an OS command injection vulnerability in the Web Management Interface. The function setDiagnosisCfg in the file /cgi-bin/cstecgi.cgi improperly handles the ip argument, which is copied into a buffer using snprintf and then passed to CsteSystem, ultimately executing via execv(). An attacker can inject arbitrary commands by supplying a crafted value for the ip parameter. The vulnerability was published by researcher Litengzheng [1].
Exploitation
An authenticated attacker can exploit this vulnerability remotely by sending a POST request to /cgi-bin/cstecgi.cgi with a JSON payload containing a malicious ip value. The attacker must have a valid session cookie (e.g., SESSION_ID) to access the vulnerable endpoint. The provided proof-of-concept uses backtick-based injection (` ls>./setDiagnosisCfg.txt ) to execute the ls` command, demonstrating successful command execution [1].
Impact
Successful exploitation allows an attacker to execute arbitrary OS commands on the router with elevated privileges (likely root). This can lead to full compromise of the device, including information disclosure, configuration modification, and further network attacks. The PoC confirms file creation, indicating command execution is effective [1].
Mitigation
As of the publication date, no official patch or firmware update has been released by Totolink to address this vulnerability in version 7.1cu.643_b20200521. Users should monitor the vendor's download page for updates (https://www.totolink.net/home/menu/detail/menu_listtpl/download/id/176/ids/36.html) and consider restricting access to the web management interface until a fix is available [1].
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization of the `ip` parameter allows OS command injection via shell metacharacters."
Attack vector
An unauthenticated remote attacker sends a crafted POST request to `/cgi-bin/cstecgi.cgi` with a JSON body containing the `topicurl` set to `"setDiagnosisCfg"` and the `ip` parameter containing shell metacharacters. The attacker can inject arbitrary OS commands by wrapping them in backticks (e.g., `` `ls>./setDiagnosisCfg.txt` ``). Because the `ip` value is unsanitized and passed directly to `execv()` via `CsteSystem`, the injected commands execute on the router's operating system [ref_id=1].
Affected code
The vulnerability resides in the function `setDiagnosisCfg` within the file `/cgi-bin/cstecgi.cgi`. Specifically, the sub-function `sub_423CC8` reads a user-provided `ip` parameter and inserts it into a buffer via `snprintf` without sanitization. The resulting string is passed to `CsteSystem`, which ultimately calls `execv()` to execute the command [ref_id=1].
What the fix does
No patch is provided in the bundle. The advisory does not include a fix or remediation from the vendor. To close this vulnerability, the application must validate and sanitize the `ip` parameter before passing it to `snprintf` and `CsteSystem`, ensuring it contains only expected characters (e.g., an IP address format) and rejecting any shell metacharacters such as backticks, semicolons, or pipe symbols [ref_id=1].
Preconditions
- networkThe attacker must be able to reach the router's web management interface on the network (typically port 80/443).
- authNo authentication is required; the PoC does not show any auth check before the vulnerable code path.
- inputThe attacker must send a POST request with a JSON body containing the 'topicurl' set to 'setDiagnosisCfg' and a malicious 'ip' parameter.
Reproduction
1. Ensure the target Totolink A8000RU (firmware 7.1cu.643_b20200521) is reachable on the network. 2. Send the following HTTP POST request to `/cgi-bin/cstecgi.cgi`:
``` POST /cgi-bin/cstecgi.cgi HTTP/1.1 Host:
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/Litengzheng/vuldb_new2/blob/main/A8000RU/vul_331/README.mdmitreexploit
- vuldb.com/submit/813429mitrethird-party-advisory
- vuldb.com/vuln/365347mitrevdb-entrytechnical-description
- vuldb.com/vuln/365347/ctimitresignaturepermissions-required
- www.totolink.netmitreproduct
News mentions
0No linked articles in our index yet.