Totolink A8000RU Web Management cstecgi.cgi setOpenVpnCertGenerationCfg os command injection
Description
A flaw has been found in Totolink A8000RU 7.1cu.643_b20200521. This vulnerability affects the function setOpenVpnCertGenerationCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Executing a manipulation of the argument servername can lead to os command injection. The attack may be launched remotely. The exploit has been published and may be used.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Command injection in Totolink A8000RU web interface allows remote unauthenticated attackers to execute arbitrary OS commands via crafted servername parameter.
Vulnerability
A command injection vulnerability exists in the Totolink A8000RU firmware version 7.1cu.643_b20200521. The flaw resides in the setOpenVpnCertGenerationCfg function within the file /cgi-bin/cstecgi.cgi. The function reads the user-supplied servername parameter and, instead of sanitizing it, passes the value into a string that is subsequently executed by the CsteSystem function via execv(). This allows an attacker to inject arbitrary OS commands through the servername argument [1].
Exploitation
An attacker can exploit this vulnerability remotely by sending a crafted HTTP POST request to the /cgi-bin/cstecgi.cgi endpoint. The request must include a JSON payload with the topicurl set to setOpenVpnCertGenerationCfg and the servername parameter containing the desired command enclosed in backticks. No authentication is required, as the PoC demonstrates successful execution with a session cookie that may be obtained from a default session. For example, setting servername to ` ls>./setOpenVpnCertGenerationCfg.txt results in the ls` command being executed and its output written to a file [1].
Impact
Successful exploitation grants the attacker arbitrary OS command execution with the privileges of the web server process, typically root. This can lead to full compromise of the router, including data exfiltration, installation of malware, modification of device configuration, and use of the device as a pivot point for further network attacks [1].
Mitigation
As of the publication date, no official firmware update or patch has been released by Totolink to address this vulnerability. Users are advised to restrict remote access to the router's web management interface to trusted networks only, and to monitor for any suspicious activity. If possible, disable the web management interface or place the device behind a firewall until a fix is available [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization in the `servername` parameter allows OS command injection via shell metacharacters."
Attack vector
An unauthenticated remote attacker sends a crafted POST request to `/cgi-bin/cstecgi.cgi` with the `topicurl` set to `setOpenVpnCertGenerationCfg` and the `servername` argument containing shell metacharacters such as backticks [ref_id=1]. The router's web management interface accepts the request and passes the unsanitized `servername` value into a system command execution path, allowing arbitrary OS commands to run [ref_id=1]. The attack requires network access to the router's management interface (typically LAN-side, but could be exposed to WAN).
Affected code
The vulnerability resides in the function `setOpenVpnCertGenerationCfg` within `/cgi-bin/cstecgi.cgi`. The sub_42A958 function reads the user-supplied `servername` parameter and passes it via `snprintf` into a variable `v11`, which is then handled by `CsteSystem` and ultimately executed by `execv()` [ref_id=1]. No patch is provided in the bundle.
What the fix does
No patch is included in the bundle. The advisory [ref_id=1] identifies that the `servername` parameter is passed unsanitized into `snprintf` and then into `CsteSystem`, which calls `execv()`. To remediate, the vendor must validate or sanitize the `servername` input to reject shell metacharacters, or avoid passing user-controlled strings into system command execution functions entirely.
Preconditions
- networkNetwork access to the router's web management interface (typically on port 80/443)
- authNo authentication required; the PoC does not include any auth check
Reproduction
Send a POST request to `/cgi-bin/cstecgi.cgi` with the body `{"topicurl":"setOpenVpnCertGenerationCfg","servername":"`ls>./setOpenVpnCertGenerationCfg.txt`"}`. The router will execute the command and write the directory listing to `setOpenVpnCertGenerationCfg.txt` [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/Litengzheng/vuldb_new2/blob/main/A8000RU/vul_341/README.mdmitreexploit
- vuldb.com/submit/813447mitrethird-party-advisory
- vuldb.com/vuln/365435mitrevdb-entrytechnical-description
- vuldb.com/vuln/365435/ctimitresignaturepermissions-required
- www.totolink.netmitreproduct
News mentions
0No linked articles in our index yet.