Totolink A8000RU Web Management cstecgi.cgi setMacFilterRules os command injection
Description
A weakness has been identified in Totolink A8000RU 7.1cu.643_b20200521. This issue affects the function setMacFilterRules of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. This manipulation of the argument enable causes os command injection. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An OS command injection vulnerability in Totolink A8000RU firmware 7.1cu.643_b20200521 allows remote attackers to execute arbitrary commands via the enable parameter in setMacFilterRules.
Vulnerability
A command injection vulnerability exists in the Totolink A8000RU router running firmware version 7.1cu.643_b20200521. The flaw resides in the setMacFilterRules function within /cgi-bin/cstecgi.cgi. The enable parameter is passed unsanitized through Uci_Set_Str into a buffer that is later executed by CsteSystem via execv(). This allows an attacker to inject arbitrary OS commands. The vulnerable code path is in the sub_432298 function of the libcscommon.so library [1].
Exploitation
An unauthenticated remote attacker can exploit this vulnerability by sending a crafted POST request to /cgi-bin/cstecgi.cgi with a malicious enable parameter containing backtick-enclosed commands. The PoC demonstrates setting enable to ` ls>./setMacFilterRules.txt ` which results in command execution. No authentication is required, as the CGI endpoint is accessible without valid credentials [1].
Impact
Successful exploitation allows an attacker to execute arbitrary operating system commands with root privileges on the device. This can lead to full compromise of the router, including data exfiltration, installation of malware, or use as a pivot point for further network attacks. The PoC confirms file creation, demonstrating command execution [1].
Mitigation
As of the publication date, no official patch has been released by Totolink. Users should consider isolating the affected device from untrusted networks, disabling remote management, or replacing the device if possible. Given that the exploit is publicly available, immediate action is recommended [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization in the `setMacFilterRules` function allows user-supplied `enable` parameter to be directly interpolated into a system command executed via `execv()`."
Attack vector
An unauthenticated remote attacker sends a crafted POST request to `/cgi-bin/cstecgi.cgi` with a JSON body containing the `enable` parameter. The attacker injects arbitrary OS commands by wrapping them in backticks (e.g., `` `ls>./setMacFilterRules.txt` ``) within the `enable` value. The router's CGI handler passes this unsanitized input into a system command that is executed via `execv()`, allowing the attacker to run any shell command on the device [ref_id=1].
Affected code
The vulnerability resides in the `setMacFilterRules` function (sub_432298) of `/cgi-bin/cstecgi.cgi` on the Totolink A8000RU. The function reads the user-supplied `enable` parameter and passes it through `snprintf` into a buffer (`v11`), which is then handled by `Uci_Set_Str` and ultimately `CsteSystem`, where `execv()` executes the constructed command [ref_id=1].
What the fix does
No patch is provided in the bundle. The advisory identifies that the root cause is the lack of sanitization of the `enable` parameter before it is inserted into a command string via `snprintf` and executed by `CsteSystem`/`execv()` [ref_id=1]. To remediate, the vendor must validate or escape the `enable` input to prevent shell metacharacters (such as backticks) from being interpreted as command boundaries, or avoid passing user-controlled data directly into system command execution paths.
Preconditions
- networkThe attacker must have network access to the router's web management interface (typically on port 80/443).
- authNo authentication is required; the PoC request does not include any session-dependent checks beyond a cookie that may be trivially obtained.
- inputThe attacker must be able to send a crafted HTTP POST request with a JSON body to /cgi-bin/cstecgi.cgi.
Reproduction
Send the following HTTP POST request to the target router (replace the Host IP as needed):
``` POST /cgi-bin/cstecgi.cgi HTTP/1.1 Host: 192.168.6.2 Content-Length: 72 X-Requested-With: XMLHttpRequest Accept-Language: en-US,en;q=0.9 Accept: application/json, text/javascript, */*; q=0.01 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36 Origin: http://192.168.6.2 Referer: http://192.168.6.2/basic/index.html Accept-Encoding: gzip, deflate, br Cookie: SESSION_ID=2:1774537321:2 Connection: keep-alive
{"topicurl":"setMacFilterRules","enable":"`ls>./setMacFilterRules.txt`"} ```
After the request is processed, the file `setMacFilterRules.txt` will be created in the current directory containing the directory listing, confirming command execution [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/Litengzheng/vuldb_new2/blob/main/A8000RU/vul_354/README.mdmitreexploit
- vuldb.com/submit/813906mitrethird-party-advisory
- vuldb.com/vuln/365414mitrevdb-entrytechnical-description
- vuldb.com/vuln/365414/ctimitresignaturepermissions-required
- www.totolink.netmitreproduct
News mentions
0No linked articles in our index yet.