Totolink A8000RU Web Management cstecgi.cgi setGameSpeedCfg os command injection
Description
A security flaw has been discovered in Totolink A8000RU 7.1cu.643_b20200521. This impacts the function setGameSpeedCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Performing a manipulation of the argument enable results in os command injection. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Command injection in Totolink A8000RU router's setGameSpeedCfg function allows remote unauthenticated attackers to execute arbitrary OS commands.
Vulnerability
A command injection vulnerability exists in the Totolink A8000RU router running firmware version 7.1cu.643_b20200521. The flaw resides in the setGameSpeedCfg function within the file /cgi-bin/cstecgi.cgi. The function reads the user-supplied enable parameter and passes it unsanitized through snprintf into a variable v11, which is then executed by CsteSystem via execv() [1]. No authentication is required to reach this code path.
Exploitation
An attacker with network access to the router's web interface can exploit this by sending a crafted POST request to /cgi-bin/cstecgi.cgi. The request must include a JSON payload with the enable parameter set to a command wrapped in shell metacharacters (e.g., backticks). The public proof-of-concept demonstrates setting enable to ` ls>./setGameSpeedCfg.txt which successfully executes the ls` command and writes output to a file [1]. The command runs with the privileges of the web server process.
Impact
Successful exploitation allows remote attackers to execute arbitrary operating system commands on the router. This can lead to full device compromise, including data exfiltration, installation of persistent malware, or use of the router as a pivot point for further network attacks. The impact is critical given the router's role as a network gateway.
Mitigation
As of the publication date (2026-05-24), no official patch or security advisory has been released by Totolink. The vendor has not acknowledged the vulnerability. Users should isolate the router from untrusted networks, restrict administrative access, or consider replacing it with a supported model. The exploit is publicly available, so immediate action is recommended. No workaround is provided in the available references [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization in the `setGameSpeedCfg` handler allows user-supplied shell metacharacters to reach OS command execution via `execv()`."
Attack vector
An unauthenticated remote attacker sends a crafted POST request to `/cgi-bin/cstecgi.cgi` with the `topicurl` set to `setGameSpeedCfg` and the `enable` parameter containing shell metacharacters. The researcher's PoC uses backticks to inject the command `ls>./setGameSpeedCfg.txt` into the `enable` argument [ref_id=1]. Because the firmware does not sanitize or validate the input before passing it to `execv()`, arbitrary OS commands are executed with the privileges of the web server process. The attack requires network access to the router's web management interface.
Affected code
The vulnerability resides in the `sub_420CA8` function inside `/cgi-bin/cstecgi.cgi` of the Totolink A8000RU firmware version 7.1cu.643_b20200521. The function reads the user-supplied `enable` parameter and passes it via `snprintf` into a buffer `v11`, which is then handled by `CsteSystem` and ultimately executed by `execv()`. The library `libcscommon.so` contains the `Uci_Set_Str` function that is also involved in the flow [ref_id=1].
What the fix does
No patch is provided in the bundle. The advisory does not include a fix or remediation from the vendor [ref_id=1]. To close this vulnerability, the vendor should implement strict input validation on the `enable` parameter, rejecting or escaping shell metacharacters before the value reaches `snprintf` and `CsteSystem`. Alternatively, the application should avoid passing user-controlled strings to OS command execution functions like `execv()` entirely.
Preconditions
- networkAttacker must have network access to the router's web management interface (typically on port 80 or 443).
- authNo authentication is required; the PoC request does not include valid credentials beyond a session cookie that may be trivially obtained.
- inputThe attacker must be able to send a crafted HTTP POST request with a JSON body containing the `enable` parameter.
Reproduction
1. Ensure the target Totolink A8000RU (firmware 7.1cu.643_b20200521) is reachable at an IP address (e.g., 192.168.6.2). 2. Send the following HTTP POST request using curl or a similar tool: ``` POST /cgi-bin/cstecgi.cgi HTTP/1.1 Host: 192.168.6.2 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Content-Length: 75 X-Requested-With: XMLHttpRequest Accept-Language: en-US,en;q=0.9 Accept: application/json, text/javascript, */*; q=0.01 Origin: http://192.168.6.2 Referer: http://192.168.6.2/basic/index.html Cookie: SESSION_ID=2:1772465702:2 Connection: keep-alive
{"topicurl":"setGameSpeedCfg","enable":"`ls>./setGameSpeedCfg.txt`"} ``` 3. Verify command execution by checking that the file `setGameSpeedCfg.txt` was created on the router, containing the directory listing [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/Litengzheng/vuldb_new2/blob/main/A8000RU/vul_337/README.mdmitreexploit
- vuldb.com/submit/813440mitrethird-party-advisory
- vuldb.com/vuln/365386mitrevdb-entrytechnical-description
- vuldb.com/vuln/365386/ctimitresignaturepermissions-required
- www.totolink.netmitreproduct
News mentions
0No linked articles in our index yet.