Totolink A8000RU Web Management cstecgi.cgi setRemoteCfg os command injection
Description
A weakness has been identified in Totolink A8000RU 7.1cu.643_b20200521. Affected is the function setRemoteCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Executing a manipulation of the argument enable can lead to os command injection. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Command injection in Totolink A8000RU's setRemoteCgi function allows remote attackers to execute arbitrary OS commands via the enable parameter.
Vulnerability
A command injection vulnerability exists in the setRemoteCfg function of the /cgi-bin/cstecgi.cgi script in Totolink A8000RU firmware version 7.1cu.643_b20200521. The enable parameter is passed unsanitized through Uci_Set_Str into a buffer via snprintf, and subsequently executed by CsteSystem which calls execv(). This allows an attacker to inject arbitrary OS commands by providing a crafted value for the enable argument [1].
Exploitation
An attacker can exploit this vulnerability remotely by sending a crafted HTTP POST request to the vulnerable endpoint. No authentication is required, as the PoC demonstrates a successful attack using a simple JSON payload with the enable parameter set to a backtick-enclosed command (e.g., ` ls>./setRemoteCfg.txt ). The request is sent to /cgi-bin/cstecgi.cgi with topicurl set to setRemoteCfg`. The router then executes the injected command with system privileges [1].
Impact
Successful exploitation grants the attacker arbitrary OS command execution on the router. This can lead to full compromise of the device, including file read/write, installation of malware, network reconnaissance, and potential lateral movement within the network. The PoC confirms that commands are executed successfully, demonstrating a complete loss of confidentiality, integrity, and availability [1].
Mitigation
As of the publication date, no official fix has been released by Totolink. The affected firmware version 7.1cu.643_b20200521 remains vulnerable. Users should monitor the vendor's download page for a patched firmware update. No workarounds are provided in the available references. This vulnerability is not known to be listed in the CISA Known Exploited Vulnerabilities catalog [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization of the `enable` parameter allows OS command injection via shell metacharacters."
Attack vector
An attacker sends a crafted POST request to `/cgi-bin/cstecgi.cgi` with the `topicurl` set to `setRemoteCfg` and the `enable` argument containing shell metacharacters. The researcher's PoC uses backticks to inject the command `ls>./setRemoteCfg.txt` into the `enable` parameter [ref_id=1]. Because the value is passed unsanitized through `snprintf` into a string that is later executed by `CsteSystem` via `execv()`, the injected OS command runs on the device. The attack is remotely exploitable over the network with no authentication beyond a valid session cookie [ref_id=1].
Affected code
The vulnerability resides in the function `setRemoteCfg` within the file `/cgi-bin/cstecgi.cgi` of the Totolink A8000RU firmware version 7.1cu.643_b20200521. The sub_425D60 function reads the user-provided parameter `enable` and passes its value to `Uci_Set_Str`, which is defined in `libcscommon.so`. The value is then inserted into a buffer via `snprintf` and ultimately handled by `CsteSystem`, which calls `execv()` to execute the constructed command [ref_id=1].
What the fix does
No patch is provided in the bundle. The advisory does not include a vendor fix or commit diff [ref_id=1]. To remediate this vulnerability, the application must validate or sanitize the `enable` parameter before inserting it into the command string, or avoid passing user-controlled input to shell execution functions such as `CsteSystem` and `execv()` altogether.
Preconditions
- networkThe attacker must be able to reach the router's web management interface over the network.
- authA valid session cookie (e.g., SESSION_ID) is required to authenticate the request.
- inputThe attacker must control the `enable` parameter in the POST body.
Reproduction
Send a POST request to `http://
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/Litengzheng/vuldb_new2/blob/main/A8000RU/vul_338/README.mdmitreexploit
- vuldb.com/submit/813441mitrethird-party-advisory
- vuldb.com/vuln/365387mitrevdb-entrytechnical-description
- vuldb.com/vuln/365387/ctimitresignaturepermissions-required
- www.totolink.netmitreproduct
News mentions
0No linked articles in our index yet.