VYPR
← All advisories
Unrated severityNVD Advisory· Published May 24, 2026

Totolink A8000RU Web Management cstecgi.cgi setScheduleCfg os command injection

CVE-2026-9388

Description

A weakness has been identified in Totolink A8000RU 7.1cu.643_b20200521. The impacted element is the function setScheduleCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Executing a manipulation of the argument mode can lead to os command injection. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A command injection vulnerability in Totolink A8000RU firmware 7.1cu.643_b20200521 allows remote attackers to execute arbitrary OS commands via the mode parameter in setScheduleCfg.

Vulnerability

A command injection vulnerability exists in Totolink A8000RU firmware version 7.1cu.643_b20200521 [1]. The flaw resides in the setScheduleCfg function within /cgi-bin/cstecgi.cgi. The mode parameter is read and passed to Uci_Set_Str without sanitization. The value is then inserted into a command string via snprintf and executed by CsteSystem using execv() [1]. No authentication is required to trigger the vulnerability; an attacker can send a crafted POST request to the web management interface.

Exploitation

An attacker with network access to the router's web interface can exploit this vulnerability by sending a POST request to /cgi-bin/cstecgi.cgi with a JSON payload containing "topicurl":"setScheduleCfg" and a mode value that includes arbitrary OS commands enclosed in backticks [1]. For example, setting mode to ` ls>./setScheduleCfg.txt causes the router to execute the ls` command and write the output to a file [1]. The command is executed with the privileges of the web server, typically root.

Impact

Successful exploitation allows an attacker to execute arbitrary OS commands on the router, leading to full device compromise [1]. This can result in unauthorized access to network traffic, modification of router configuration, data exfiltration, or use of the device as a pivot for further attacks within the network.

Mitigation

As of the publication date, no patched firmware version has been released by TOTOLINK [1]. Users should monitor the vendor's download page for updates. In the absence of a fix, restrict access to the web management interface to trusted networks only, disable remote management if not required, and consider using network segmentation to limit exposure. This vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities catalog.

References
  1. vuldb_new2/A8000RU/vul_335/README.md at main · Litengzheng/vuldb_new2

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing input sanitization in the `setScheduleCfg` function allows user-supplied `mode` parameter values to be passed directly into a system command execution path via `CsteSystem` and `execv()`."

Attack vector

An unauthenticated remote attacker sends a crafted POST request to `/cgi-bin/cstecgi.cgi` with `topicurl` set to `setScheduleCfg` and the `mode` parameter containing arbitrary OS commands wrapped in backticks [ref_id=1]. The router's web management interface accepts the JSON payload and passes the unsanitized `mode` value into a system command execution path, allowing the attacker to execute arbitrary commands on the device [ref_id=1]. No authentication or special network position is required beyond network access to the router's management interface.

Affected code

The vulnerability resides in the `setScheduleCfg` function (sub_4264F0) within `/cgi-bin/cstecgi.cgi`. The function reads the user-supplied `mode` parameter and passes it through `snprintf` into a buffer (`v11`), which is then processed by `CsteSystem` and ultimately executed via `execv()` [ref_id=1]. The `Uci_Set_Str` function from `libcscommon.so` is also involved in the data flow [ref_id=1].

What the fix does

No patch has been published by the vendor for this vulnerability [ref_id=1]. The advisory recommends that users apply input validation and sanitization to the `mode` parameter before it reaches the command execution path, or avoid passing user-controlled data to system-level functions like `CsteSystem` and `execv()` [ref_id=1]. Without a vendor fix, the only mitigation is to restrict network access to the management interface or upgrade to a newer firmware version if one becomes available.

Preconditions

  • networkAttacker must have network access to the router's web management interface (typically on port 80/443).
  • authNo authentication is required; the PoC does not include any session-dependent checks beyond a cookie.
  • configThe router must be running firmware version 7.1cu.643_b20200521.

Reproduction

Send the following HTTP POST request to the router's `/cgi-bin/cstecgi.cgi` endpoint [ref_id=1]:

``` POST /cgi-bin/cstecgi.cgi HTTP/1.1 Host: 192.168.6.2 Content-Length: 72 X-Requested-With: XMLHttpRequest Accept-Language: en-US,en;q=0.9 Accept: application/json, text/javascript, */*; q=0.01 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36 Origin: http://192.168.6.2 Referer: http://192.168.6.2/basic/index.html Accept-Encoding: gzip, deflate, br Cookie: SESSION_ID=2:1772465702:2 Connection: keep-alive

{"topicurl":"setScheduleCfg","mode":"`ls>./setScheduleCfg.txt`"} ```

After sending the request, the file `setScheduleCfg.txt` will be created in the current directory containing the directory listing, confirming command execution [ref_id=1].

Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.