Totolink A8000RU Web Management cstecgi.cgi setWiFiWpsCfg os command injection
Description
A security vulnerability has been detected in Totolink A8000RU 7.1cu.643_b20200521. Impacted is the function setWiFiWpsCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Such manipulation of the argument wscDisabled leads to os command injection. The attack may be launched remotely. The exploit has been disclosed publicly and may be used.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Totolink A8000RU firmware 7.1cu.643_b20200521 has an OS command injection vulnerability in the setWiFiWpsCfg function via the wscDisabled parameter, allowing remote unauthenticated attackers to execute arbitrary commands.
Vulnerability
A command injection vulnerability exists in Totolink A8000RU firmware version 7.1cu.643_b20200521. The flaw resides in the function setWiFiWpsCfg within the file /cgi-bin/cstecgi.cgi of the web management interface. The wscDisabled parameter is read from a user-provided request and passed to the Uci_Set_Str function. However, the value is inserted into a buffer via snprintf and then processed by CsteSystem, which ultimately executes the string through execv() without sanitization [1]. No authentication or special configuration is required to reach this code path.
Exploitation
An attacker can exploit this vulnerability by sending a crafted POST request to the /cgi-bin/cstecgi.cgi endpoint. The proof-of-concept includes setting the wscDisabled parameter to a payload such as ` ls>./setWiFiWpsCfg.txt , which causes the router to execute the injected OS command. The network request is made to the device's IP address (e.g., 192.168.6.2`) and can be performed remotely, without requiring prior authentication [1]. No user interaction beyond the initial request is needed.
Impact
Successful exploitation allows an unauthenticated remote attacker to execute arbitrary OS commands on the affected Totolink A8000RU router with the privileges of the web server process. This can lead to full compromise of the device, including data exfiltration, installation of malware, or use of the router as a pivot for further network attacks [1]. The public availability of a proof-of-concept increases the risk of active exploitation.
Mitigation
As of the publication date (2026-05-25), no official firmware update or patch has been released by Totolink to address this vulnerability. Users are advised to restrict remote access to the device's web management interface, monitor for suspicious activity, and consider isolating the device until a fix is made available [1]. The vendor's download page for the product is provided in the reference but only the vulnerable firmware version is listed.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input validation on the `wscDisabled` parameter allows OS command injection via shell metacharacters."
Attack vector
An unauthenticated remote attacker sends a crafted POST request to `/cgi-bin/cstecgi.cgi` with `topicurl` set to `setWiFiWpsCfg` and the `wscDisabled` parameter containing shell metacharacters. The router's web management interface does not sanitize the `wscDisabled` input, allowing the attacker to inject arbitrary OS commands. The attacker can achieve remote code execution on the device by embedding backtick-enclosed commands (e.g., `` `ls>./setWiFiWpsCfg.txt` ``) in the `wscDisabled` value [ref_id=1].
Affected code
The vulnerability resides in the `setWiFiWpsCfg` function within `/cgi-bin/cstecgi.cgi`. The function reads the user-supplied parameter `wscDisabled` and passes it to `Uci_Set_Str` (defined in `libcscommon.so`). The value is then inserted into a buffer via `snprintf`, and that buffer is ultimately executed by `CsteSystem` via `execv()` [ref_id=1].
What the fix does
No patch is provided in the advisory. The researcher's report identifies that the root cause is the lack of input validation on the `wscDisabled` parameter before it is passed through `snprintf` and executed by `CsteSystem` via `execv()`. To remediate, the vendor must implement proper sanitization or escaping of shell metacharacters in user-supplied input, or avoid passing user-controlled strings directly to OS command execution functions [ref_id=1].
Preconditions
- networkThe attacker must have network access to the router's web management interface (typically on port 80/443).
- authNo authentication is required; the PoC does not include any authentication step beyond a session cookie which is trivially obtained.
Reproduction
Send a POST request to `http://
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/Litengzheng/vuldb_new2/blob/main/A8000RU/vul_355/README.mdmitreexploit
- vuldb.com/submit/813907mitrethird-party-advisory
- vuldb.com/vuln/365415mitrevdb-entrytechnical-description
- vuldb.com/vuln/365415/ctimitresignaturepermissions-required
- www.totolink.netmitreproduct
News mentions
0No linked articles in our index yet.