Totolink A8000RU Web Management cstecgi.cgi setWiFiAdvancedCfg os command injection
Description
A security flaw has been discovered in Totolink A8000RU 7.1cu.643_b20200521. This vulnerability affects the function setWiFiAdvancedCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. The manipulation of the argument bgProtection results in os command injection. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OS command injection in Totolink A8000RU router via bgProtection parameter allows remote unauthenticated attackers to execute arbitrary commands.
Vulnerability
The Totolink A8000RU router running firmware version 7.1cu.643_b20200521 contains an OS command injection vulnerability in the Web Management Interface. The function setWiFiAdvancedCfg in /cgi-bin/cstecgi.cgi reads the user-supplied bgProtection argument and passes it to Uci_Set_Str and later to CsteSystem, which executes commands via execv(). The lack of sanitization allows arbitrary command injection [1].
Exploitation
An attacker can exploit this vulnerability remotely without authentication. The attack involves sending a crafted POST request to /cgi-bin/cstecgi.cgi with a malicious bgProtection parameter containing backtick-enclosed commands. The provided PoC injects ls>./setWiFiAdvancedCfg.txt to demonstrate execution. The attacker must have network access to the router's web interface [1].
Impact
Successful exploitation allows an attacker to execute arbitrary OS commands as root on the router, leading to full compromise. This can result in information disclosure, modification of router settings, denial of service, or use of the device in botnets. The attack achieves remote code execution (RCE) with high impact on confidentiality, integrity, and availability [1].
Mitigation
As of the publication date, no official patch has been released by Totolink. Users should monitor the vendor's download page for firmware updates. In the absence of a patch, restrict access to the web interface to trusted networks only, and consider disabling remote management if not required. The vulnerability is publicly disclosed and a PoC is available, increasing risk [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization on the bgProtection parameter allows OS command injection via shell metacharacters."
Attack vector
An unauthenticated remote attacker sends a crafted POST request to `/cgi-bin/cstecgi.cgi` with the `topicurl` set to `setWiFiAdvancedCfg` and the `bgProtection` parameter containing shell metacharacters such as backticks. The router's web management interface does not sanitize this input, so the injected command (e.g., `` `ls>./setWiFiAdvancedCfg.txt` ``) is executed by the underlying OS via `execv()` [ref_id=1]. No authentication is required beyond a valid session cookie, which can be obtained by accessing the router's web interface.
Affected code
The vulnerability resides in the `setWiFiAdvancedCfg` function within `/cgi-bin/cstecgi.cgi`. The function reads the user-supplied `bgProtection` parameter and passes it to `Uci_Set_Str`, which inserts the value into a buffer via `snprintf`. That buffer is then processed by `CsteSystem`, which ultimately calls `execv()` to execute the constructed command [ref_id=1].
What the fix does
No patch is provided in the bundle. The advisory identifies that the root cause is the lack of input sanitization on the `bgProtection` parameter before it is passed to `snprintf` and subsequently to `CsteSystem`/`execv()` [ref_id=1]. To remediate, the vendor should validate or escape the `bgProtection` value to prevent shell metacharacters from being interpreted as commands, or use a safe API that avoids shell invocation entirely.
Preconditions
- networkAttacker must have network access to the router's web management interface (typically on port 80/443).
- authA valid session cookie (SESSION_ID) is required, obtainable by accessing the router's web interface.
- inputThe attacker sends a crafted POST request with shell metacharacters in the bgProtection parameter.
Reproduction
Send a POST request to `/cgi-bin/cstecgi.cgi` with the following body (adjust the SESSION_ID as needed): `{"topicurl":"setWiFiAdvancedCfg","bgProtection":"`ls>./setWiFiAdvancedCfg.txt`"}`. After the request, access `http://
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/Litengzheng/vuldb_new2/blob/main/A8000RU/vul_353/README.mdmitreexploit
- vuldb.com/submit/813905mitrethird-party-advisory
- vuldb.com/vuln/365413mitrevdb-entrytechnical-description
- vuldb.com/vuln/365413/ctimitresignaturepermissions-required
- www.totolink.netmitreproduct
News mentions
0No linked articles in our index yet.