Totolink A8000RU Web Management cstecgi.cgi setDdnsCfg os command injection
Description
A vulnerability was identified in Totolink A8000RU 7.1cu.643_b20200521. This affects the function setDdnsCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Such manipulation of the argument provider leads to os command injection. The attack may be launched remotely. The exploit is publicly available and might be used.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
TOTOLINK A8000RU firmware 7.1cu.643_b20200521 has an OS command injection in the setDdnsCfg function via the provider argument, enabling remote unauthenticated attackers to execute arbitrary commands.
Vulnerability
The TOTOLINK A8000RU router running firmware version 7.1cu.643_b20200521 contains an OS command injection vulnerability in the setDdnsCfg function located in the file /cgi-bin/cstecgi.cgi of the web management interface. The function reads a user-provided parameter provider and passes its value via Uci_Set_Str_By_Idx (defined in libcscommon.so) to the CsteSystem function, which ultimately executes the command using execv() without sanitization. The affected product is TOTOLINK A8000RU, firmware version 7.1cu.643_b20200521 [1].
Exploitation
An attacker can exploit this vulnerability remotely by sending a specially crafted HTTP POST request to /cgi-bin/cstecgi.cgi with the parameter provider containing injected OS commands (e.g., wrapped in backticks or quotes). No authentication or prior access is required; the attacker only needs network reachability to the router's web interface. A publicly available proof of concept demonstrates sending a JSON payload with "provider":"ls>./setDdnsCfg.txt" which leads to command execution; the PoC shows a txt` file is created listing directory contents [1].
Impact
Successful exploitation allows an attacker to execute arbitrary OS commands on the router with the privileges of the web server process (typically root on embedded devices). This can lead to complete compromise of the device, including disclosure of sensitive configuration data, modification of settings, installation of persistent backdoors, or further network attacks from the compromised router.
Mitigation
As of this report, TOTOLINK has not released a patched firmware version for the A8000RU (the affected version is 7.1cu.643_b20200521). The vulnerability is publicly disclosed with exploit code available, and there is no known workaround that does not involve disabling the web management interface entirely. Users should consider isolating the device from untrusted networks or replacing it with a supported model if no update becomes available [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization on the `provider` argument in the `setDdnsCfg` handler allows attacker-controlled shell metacharacters to be passed directly into an OS command execution path."
Attack vector
An unauthenticated remote attacker sends a crafted POST request to `/cgi-bin/cstecgi.cgi` with `topicurl` set to `setDdnsCfg` and the `provider` argument containing shell metacharacters such as backticks. The router's web management interface passes this unsanitized input into an OS command string that is executed via `execv()`, allowing arbitrary command injection [ref_id=1].
Affected code
The vulnerability resides in the `setDdnsCfg` function of `/cgi-bin/cstecgi.cgi` (specifically the `sub_430128` function). The user-supplied `provider` parameter is passed to `Uci_Set_Str_By_Idx`, then inserted into a command buffer via `snprintf`, and finally executed by `CsteSystem` which calls `execv()` [ref_id=1].
What the fix does
No patch is provided in the bundle. The advisory does not specify a fix. To remediate, the vendor should validate or sanitize the `provider` parameter to reject shell metacharacters (e.g., backticks, semicolons, pipes) before the value is inserted into the command string passed to `CsteSystem` [ref_id=1].
Preconditions
- networkThe attacker must be able to reach the router's web management interface (typically on port 80/443).
- authNo authentication is required; the PoC request does not include valid credentials beyond a session cookie that may be trivially obtained.
- inputThe attacker supplies a `provider` parameter containing shell metacharacters (e.g., backticks) in the POST body.
Reproduction
Send a POST request to `http://
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/Litengzheng/vuldb_new2/blob/main/A8000RU/vul_336/README.mdmitreexploit
- vuldb.com/submit/813439mitrethird-party-advisory
- vuldb.com/vuln/365385mitrevdb-entrytechnical-description
- vuldb.com/vuln/365385/ctimitresignaturepermissions-required
- www.totolink.netmitreproduct
News mentions
0No linked articles in our index yet.