Totolink A8000RU Web Management cstecgi.cgi UploadOpenVpnCert os command injection
Description
A vulnerability has been found in Totolink A8000RU 7.1cu.643_b20200521. This issue affects the function UploadOpenVpnCert of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. The manipulation of the argument FileName leads to os command injection. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A command injection vulnerability in Totolink A8000RU firmware 7.1cu.643_b20200521 allows remote attackers to execute arbitrary OS commands via the FileName parameter in the UploadOpenVpnCert handler of /cgi-bin/cstecgi.cgi.
Vulnerability
The vulnerability resides in the UploadOpenVpnCert handler within /cgi-bin/cstecgi.cgi of the Totolink A8000RU router running firmware version 7.1cu.643_b20200521 [1]. The sub_4311C8 function reads the user-supplied FileName parameter and inserts it into a buffer via snprintf; the resulting string is subsequently passed to CsteSystem, which executes it via execv(). No sanitization or validation is performed on the FileName value, enabling OS command injection [1].
Exploitation
An attacker can exploit this vulnerability remotely by sending an HTTP POST request to /cgi-bin/cstecgi.cgi with a crafted JSON payload containing the FileName parameter. The attacker does not require authentication, as demonstrated by the public proof-of-concept (PoC) request [1]. In the PoC, the value \ls>./UploadOpenVpnCert.txt\` is supplied, causing the router to execute the command ls>./UploadOpenVpnCert.txt` [1]. The attacker only needs network access to the device’s web interface [1].
Impact
Successful exploitation allows a remote, unauthenticated attacker to execute arbitrary OS commands on the router with the privileges of the web server process. This can lead to full device compromise, enabling data exfiltration, modification of configuration, denial of service, or use of the device as a pivot point for further network attacks [1].
Mitigation
As of the publication date, no official firmware update or patch from Totolink has been identified to address this vulnerability [1]. Administrators are advised to restrict network access to the web management interface (port 80/443) from untrusted networks, or disable the interface entirely if not required. The device is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization of the FileName parameter allows OS command injection via shell metacharacters."
Attack vector
An attacker sends a crafted POST request to `/cgi-bin/cstecgi.cgi` with the `topicurl` set to `UploadOpenVpnCert` and the `FileName` parameter containing shell metacharacters such as backticks. The value of `FileName` is unsanitized and passed directly into a system command executed by `CsteSystem`/`execv()`, allowing arbitrary OS commands to run on the device [ref_id=1]. The attacker must be on the local network (e.g., at `192.168.6.2`) and have a valid session cookie, but no further authentication is required beyond that session.
Affected code
The vulnerability resides in the function `sub_4311C8` within `/cgi-bin/cstecgi.cgi` of the Web Management Interface. The function reads the user-supplied `FileName` parameter and inserts it into a buffer via `snprintf`, after which the resulting string is passed to `CsteSystem`, which ultimately calls `execv()` to execute the command [ref_id=1].
What the fix does
No patch is provided in the bundle. The advisory [ref_id=1] does not include a fix or remediation guidance. To close this vulnerability, the vendor would need to validate and sanitize the `FileName` input to reject shell metacharacters (e.g., backticks, semicolons, pipes) before the value is used in any system command, or avoid passing user input directly to a shell execution function altogether.
Preconditions
- networkAttacker must have network access to the router's web management interface (typically on the local LAN).
- authAttacker must possess a valid session cookie (e.g., SESSION_ID) to authenticate the request.
- inputThe vulnerable endpoint /cgi-bin/cstecgi.cgi must be reachable and the UploadOpenVpnCert topicurl must be accepted.
Reproduction
Send a POST request to `/cgi-bin/cstecgi.cgi` with the body `{"topicurl":"UploadOpenVpnCert","FileName":"`ls>./UploadOpenVpnCert.txt`"}`. The router will execute the injected `ls` command and write the directory listing to `./UploadOpenVpnCert.txt`, confirming command execution [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/Litengzheng/vuldb_new2/blob/main/A8000RU/vul_342/README.mdmitreexploit
- vuldb.com/submit/813449mitrethird-party-advisory
- vuldb.com/vuln/365436mitrevdb-entrytechnical-description
- vuldb.com/vuln/365436/ctimitresignaturepermissions-required
- www.totolink.netmitreproduct
News mentions
0No linked articles in our index yet.