Totolink A8000RU Web Management cstecgi.cgi setFirewallType os command injection
Description
A security vulnerability has been detected in Totolink A8000RU 7.1cu.643_b20200521. Affected by this vulnerability is the function setFirewallType of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. The manipulation of the argument firewallType leads to os command injection. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Command injection in Totolink A8000RU web interface allows remote attackers to execute arbitrary OS commands via the firewallType parameter.
Vulnerability
The Totolink A8000RU router firmware version 7.1cu.643_b20200521 contains an OS command injection vulnerability in the web management interface. The function setFirewallType in /cgi-bin/cstecgi.cgi reads the user-supplied firewallType parameter and passes it to the Uci_Set_Str function in libcscommon.so. The value is then inserted into a command string via snprintf and executed by CsteSystem using execv [1]. No input sanitization is performed, allowing arbitrary command injection.
Exploitation
An attacker can exploit this vulnerability remotely by sending a crafted HTTP POST request to /cgi-bin/cstecgi.cgi with a malicious firewallType value. The PoC demonstrates using backtick-enclosed commands, such as ` ls>./setFirewallType.txt `, which are executed by the router's operating system [1]. The attack requires network access to the router's web interface; no prior authentication is explicitly required, though the PoC includes a session cookie that may be obtained from an existing session.
Impact
Successful exploitation allows an attacker to execute arbitrary OS commands on the router with root privileges. This can lead to full device compromise, including data exfiltration, installation of malware, and use of the router as a pivot for further network attacks.
Mitigation
As of the publication date, no official patch has been released by Totolink for this vulnerability [1]. Users should restrict network access to the web management interface to trusted hosts only, disable remote management if not needed, and monitor the vendor's support page for future firmware updates.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization in the `setFirewallType` handler allows OS command injection via the `firewallType` parameter."
Attack vector
An unauthenticated remote attacker sends a crafted POST request to `/cgi-bin/cstecgi.cgi` with a JSON payload containing the `firewallType` parameter. The parameter value includes shell metacharacters (e.g., backticks) that inject arbitrary OS commands. Because the value is passed unsanitized through `snprintf` into a buffer that is later executed by `execv()` via `CsteSystem`, the injected command runs on the device [ref_id=1]. The attacker must be on the same network as the router (e.g., LAN) to reach the web management interface.
Affected code
The vulnerability resides in the `setFirewallType` function within `/cgi-bin/cstecgi.cgi` (specifically the `sub_41F598` function). The user-supplied `firewallType` parameter is passed via `snprintf` into a buffer (`v11`), which is then processed by `CsteSystem` and ultimately executed by `execv()` [ref_id=1].
What the fix does
No patch is provided in the bundle. The advisory [ref_id=1] does not include a fix or remediation guidance. To close this vulnerability, the vendor would need to sanitize or validate the `firewallType` input to reject shell metacharacters before the value is used in `snprintf` and passed to `CsteSystem`, or avoid passing user-controlled strings to a command execution path entirely.
Preconditions
- networkAttacker must have network access to the router's web management interface (typically LAN-side).
- configThe web management interface must be enabled and reachable.
- authNo authentication is required; the PoC does not include any auth bypass step.
Reproduction
Send a POST request to `http://
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/Litengzheng/vuldb_new2/blob/main/A8000RU/vul_339/README.mdmitreexploit
- vuldb.com/submit/813442mitrethird-party-advisory
- vuldb.com/vuln/365388mitrevdb-entrytechnical-description
- vuldb.com/vuln/365388/ctimitresignaturepermissions-required
- www.totolink.netmitreproduct
News mentions
0No linked articles in our index yet.