Totolink A8000RU Web Management cstecgi.cgi setQosCfg os command injection
Description
A vulnerability was detected in Totolink A8000RU 7.1cu.643_b20200521. The affected element is the function setQosCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Performing a manipulation of the argument enable results in os command injection. Remote exploitation of the attack is possible. The exploit is now public and may be used.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Totolink A8000RU firmware 7.1cu.643_b20200521 has an OS command injection in the setQosCfg function via the enable argument, allowing remote attackers to execute arbitrary commands.
Vulnerability
The Totolink A8000RU router running firmware version 7.1cu.643_b20200521 contains an OS command injection vulnerability in the setQosCfg function of the file /cgi-bin/cstecgi.cgi (the Web Management Interface). The function reads a user-provided parameter enable and passes its value to Uci_Set_Str, which ultimately inserts the value into a buffer via snprintf. The resulting string is executed by CsteSystem using execv(). No authentication is required according to the available references, and the attack can be performed over the network by sending a crafted HTTP POST request to the CGI endpoint [1].
Exploitation
An attacker can exploit this vulnerability by sending a specially crafted POST request to /cgi-bin/cstecgi.cgi with a JSON payload containing the topicurl set to setQosCfg and the enable parameter set to an arbitrary OS command enclosed in backticks. The described proof-of-concept uses enable with value ` ls>./setQosCfg.txt `. The resulting command is executed by the router's operating system without requiring authentication or prior user interaction. Remote exploitation over the network is possible [1].
Impact
Successful exploitation allows an attacker to execute arbitrary OS commands with the privileges of the web server process. In the reported proof-of-concept, the command created a file with directory listings, confirming full command execution. An attacker could use this to read, modify, or delete files, install malware, or pivot to other network hosts [1].
Mitigation
As of the publication date, no patched firmware version has been announced by Totolink. The affected version 7.1cu.643_b20200521 is available from the vendor's download page [1]. Users should monitor the vendor's website for security updates. Until a fix is released, restricting network access to the management interface and deploying web application firewall rules to block suspicious POST requests to /cgi-bin/cstecgi.cgi may reduce risk. The vulnerability is not listed in CISA KEV as of this writing.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"User-controlled input from the `enable` parameter is unsafely interpolated into a command string that is passed to `execv()`, allowing OS command injection."
Attack vector
An attacker sends a crafted HTTP POST request to `/cgi-bin/cstecgi.cgi` with the `topicurl` parameter set to `setQosCfg` and the `enable` parameter containing shell metacharacters (e.g., backticks) wrapping arbitrary OS commands [ref_id=1]. The request must be sent from a client that can reach the router's web interface (typically on the local network). No authentication bypass is described; the PoC includes a valid session cookie, suggesting the attacker must have or obtain a session first [ref_id=1]. The `enable` value is unsafely interpolated into a command string that is then executed by `execv()`, allowing arbitrary command execution [ref_id=1].
Affected code
The vulnerability resides in the function `sub_420A88` within `/cgi-bin/cstecgi.cgi`. This function reads the user-provided parameter `enable` and passes its value to `Uci_Set_Str` (defined in `libcscommon.so`). The value of `enable` is inserted into a buffer `v11` via `snprintf`, and `v11` is subsequently handled by `CsteSystem`, which ultimately calls `execv()` to execute the constructed command [ref_id=1].
What the fix does
No patch is provided in the bundle. The advisory does not specify a fix. To remediate this vulnerability, the vendor should sanitize or validate the `enable` parameter to reject shell metacharacters (such as backticks, semicolons, or pipes) before the value is interpolated into the command string. Alternatively, the application should avoid passing user-controlled input directly to a shell execution function like `execv()` and instead use safer API calls that separate commands from arguments.
Preconditions
- networkThe attacker must be able to reach the router's web management interface over the network.
- authThe attacker likely needs a valid session cookie (SESSION_ID) to authenticate with the web interface.
- inputThe attacker must supply a crafted `enable` parameter containing shell metacharacters (e.g., backticks) in the POST body.
Reproduction
1. Ensure the attacker can reach the router's web interface (e.g., at 192.168.6.2). 2. Send an HTTP POST request to `/cgi-bin/cstecgi.cgi` with the following body (including a valid session cookie): `{"topicurl":"setQosCfg","enable":"`ls>./setQosCfg.txt`"}` 3. After the request is processed, the file `setQosCfg.txt` will be created in the current directory, containing the output of the `ls` command, confirming command execution [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/Litengzheng/vuldb_new2/blob/main/A8000RU/vul_356/README.mdmitreexploit
- vuldb.com/submit/813908mitrethird-party-advisory
- vuldb.com/vuln/365416mitrevdb-entrytechnical-description
- vuldb.com/vuln/365416/ctimitresignaturepermissions-required
- www.totolink.netmitreproduct
News mentions
0No linked articles in our index yet.