Totolink A8000RU Web Management cstecgi.cgi setL2tpServerCfg os command injection
Description
A flaw has been found in Totolink A8000RU 7.1cu.643_b20200521. The impacted element is the function setL2tpServerCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Executing a manipulation of the argument enable can lead to os command injection. The attack can be executed remotely. The exploit has been published and may be used.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
TOTOLINK A8000RU 7.1cu.643_b20200521's setL2tpServerCfg function allows remote unauthenticated OS command injection via the enable argument.
Vulnerability
The vulnerability resides in the setL2tpServerCfg function within the file /cgi-bin/cstecgi.cgi of the TOTOLINK A8000RU router firmware version 7.1cu.643_b20200521 [1]. The enable argument is read from user input and passed unsanitized to the Uci_Set_Str function, which constructs a command string using snprintf. This string is later executed by CsteSystem via execv(), leading to OS command injection [1]. No authentication is required to reach the vulnerable endpoint.
Exploitation
An attacker can send a crafted HTTP POST request to /cgi-bin/cstecgi.cgi with a JSON payload containing the topicurl set to setL2tpServerCfg and the enable parameter containing backtick-delimited OS commands [1]. For example, setting enable to ` ls>./setL2tpServerCfg.txt causes the router to execute the ls` command and write output to a file. The attack is remote and requires only network access to the router's web interface [1].
Impact
Successful exploitation allows a remote, unauthenticated attacker to execute arbitrary OS commands on the router with the privileges of the web server process [1]. This can lead to full device compromise, including data exfiltration, configuration modification, or use of the device as a pivot point in further attacks [1].
Mitigation
As of the publication date (2026-05-25), no firmware update addressing this vulnerability has been released by TOTOLINK [1]. Users should restrict access to the web management interface to trusted networks only, monitor for unusual activity, and consider replacing the device if it reaches end of life [1]. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization in the setL2tpServerCfg handler allows attacker-controlled data to be passed directly to OS command execution."
Attack vector
An unauthenticated remote attacker sends a crafted POST request to /cgi-bin/cstecgi.cgi with the topicurl set to "setL2tpServerCfg" and the "enable" argument containing shell metacharacters [ref_id=1]. The value of enable is inserted into a buffer via snprintf and then passed to CsteSystem, which calls execv() to execute the constructed command [ref_id=1]. Because no validation or sanitization is performed on the enable parameter, an attacker can inject arbitrary OS commands using backticks or other shell operators. The attack is remotely exploitable over the network with no authentication required.
Affected code
The vulnerable function is setL2tpServerCfg in the file /cgi-bin/cstecgi.cgi [ref_id=1]. Specifically, the sub_421190 function reads the user-provided enable parameter and passes its value to Uci_Set_Str in libcscommon.so, but the value is also inserted into a buffer via snprintf and then executed by CsteSystem which calls execv() [ref_id=1].
What the fix does
No patch is included in the bundle. The advisory does not specify a fix. To remediate this vulnerability, the vendor should validate and sanitize the enable parameter before it is used in any command construction, or avoid passing user-controlled input to shell execution functions entirely. Input should be strictly checked against an allowlist of expected values.
Preconditions
- networkNetwork access to the router's web management interface
- authNo authentication required
Reproduction
Send a POST request to /cgi-bin/cstecgi.cgi with the JSON body `{"topicurl":"setL2tpServerCfg","enable":"\`ls>./setL2tpServerCfg.txt\`"}`. The router will execute the injected command and write the directory listing to setL2tpServerCfg.txt [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/Litengzheng/vuldb_new2/blob/main/A8000RU/vul_357/README.mdmitreexploit
- vuldb.com/submit/813461mitrethird-party-advisory
- vuldb.com/submit/813909mitrethird-party-advisory
- vuldb.com/vuln/365417mitrevdb-entrytechnical-description
- vuldb.com/vuln/365417/ctimitresignaturepermissions-required
- www.totolink.netmitreproduct
News mentions
0No linked articles in our index yet.