Totolink A8000RU Web Management cstecgi.cgi setStaticDhcpRules os command injection
Description
A vulnerability was detected in Totolink A8000RU 7.1cu.643_b20200521. Affected by this issue is the function setStaticDhcpRules of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. The manipulation of the argument enable results in os command injection. The attack may be performed from remote. The exploit is now public and may be used.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A command injection vulnerability in Totolink A8000RU's setStaticDhcpRules function allows remote unauthenticated attackers to execute arbitrary OS commands.
Vulnerability
The vulnerability resides in the setStaticDhcpRules function of /cgi-bin/cstecgi.cgi in Totolink A8000RU firmware version 7.1cu.643_b20200521. The function reads the user-supplied enable parameter and passes it to Uci_Set_Str, which inserts the value into a command string via snprintf. This string is subsequently executed by CsteSystem using execv, enabling OS command injection without requiring authentication [1].
Exploitation
An attacker can exploit this by sending a crafted POST request to /cgi-bin/cstecgi.cgi with a JSON payload containing the enable parameter set to a command wrapped in backticks (e.g., ` ls>./setStaticDhcpRules.txt ). The request must include "topicurl":"setStaticDhcpRules"`. No authentication or special privileges are needed; the attack is remotely exploitable over the network. The public PoC confirms successful command execution by creating a file with directory listing output [1].
Impact
Successful exploitation allows arbitrary OS command execution with the privileges of the web server process. This can lead to full device compromise, including data exfiltration, malware installation, or lateral movement within the network. The impact on confidentiality, integrity, and availability is high [1].
Mitigation
As of the publication date, no official patch has been released by Totolink. The affected firmware version 7.1cu.643_b20200521 is the latest known for the A8000RU. Users should monitor the vendor's download page for updates. Until a fix is available, restrict access to the web management interface to trusted networks or disable remote management. Given the public exploit, immediate action is advised [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization in the `enable` parameter allows OS command injection via shell metacharacters."
Attack vector
An unauthenticated remote attacker sends a crafted POST request to `/cgi-bin/cstecgi.cgi` with the `topicurl` set to `setStaticDhcpRules` and the `enable` parameter containing shell metacharacters. The researcher's PoC demonstrates injecting backtick-delimited commands (e.g., `` `ls>./setStaticDhcpRules.txt` ``) into the `enable` argument. Because the value is inserted into a command string without sanitization and then executed via `execv()`, the attacker's OS commands run on the router. The attack requires no authentication and is performed over HTTP [ref_id=1].
Affected code
The vulnerability resides in the function `setStaticDhcpRules` within the file `/cgi-bin/cstecgi.cgi`. The sub_433F80 function reads the user-provided `enable` parameter and passes its value to `Uci_Set_Str` (defined in `libcscommon.so`). The value is inserted into a buffer `v11` via `snprintf`, and `v11` is subsequently handled by `CsteSystem`, which ultimately calls `execv()` to execute the constructed command [ref_id=1].
What the fix does
No patch is provided in the bundle. The advisory does not include a fix or remediation from the vendor. To close the vulnerability, the application must validate or sanitize the `enable` parameter before passing it to `snprintf` and `CsteSystem`, preventing shell metacharacters from being interpreted as commands. Input should be restricted to expected values (e.g., "0" or "1") rather than being concatenated into a command string [ref_id=1].
Preconditions
- networkThe attacker must be able to reach the router's web management interface over the network.
- authNo authentication is required; the PoC does not include any auth check.
- inputThe attacker must send a crafted POST request with the `enable` parameter containing shell metacharacters.
Reproduction
Send the following HTTP POST request to the router's `/cgi-bin/cstecgi.cgi` endpoint (replace the IP and SESSION_ID as needed):
``` POST /cgi-bin/cstecgi.cgi HTTP/1.1 Host: 192.168.6.2 Content-Length: 75 X-Requested-With: XMLHttpRequest Accept-Language: en-US,en;q=0.9 Accept: application/json, text/javascript, */*; q=0.01 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36 Origin: http://192.168.6.2 Referer: http://192.168.6.2/basic/index.html Accept-Encoding: gzip, deflate, br Cookie: SESSION_ID=2:1772465702:2 Connection: keep-alive {"topicurl":"setStaticDhcpRules","enable":"`ls>./setStaticDhcpRules.txt`"} ```
After the request, a file named `setStaticDhcpRules.txt` containing the directory listing will be created on the router, confirming command execution [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/Litengzheng/vuldb_new2/blob/main/A8000RU/vul_340/README.mdmitreexploit
- vuldb.com/submit/813443mitrethird-party-advisory
- vuldb.com/vuln/365389mitrevdb-entrytechnical-description
- vuldb.com/vuln/365389/ctimitresignaturepermissions-required
- www.totolink.netmitreproduct
News mentions
0No linked articles in our index yet.