Totolink A8000RU Web Management cstecgi.cgi setOpenVpnCfg os command injection
Description
A vulnerability was found in Totolink A8000RU 7.1cu.643_b20200521. Impacted is the function setOpenVpnCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. The manipulation of the argument enabled results in os command injection. The attack can be executed remotely. The exploit has been made public and could be used.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Command injection in Totolink A8000RU router via setOpenVpnCfg allows remote unauthenticated attackers to execute arbitrary OS commands.
Vulnerability
The vulnerability is an OS command injection in the Totolink A8000RU firmware version 7.1cu.643_b20200521. The function setOpenVpnCfg in /cgi-bin/cstecgi.cgi improperly handles the port argument, which is passed to Uci_Set_Str and then to CsteSystem that calls execv(), allowing arbitrary command execution [1]. The manipulation of the enabled argument also triggers the same code path.
Exploitation
An attacker can send a crafted HTTP POST request to the /cgi-bin/cstecgi.cgi endpoint with topicurl set to setOpenVpnCfg. The port parameter contains a command injection payload (e.g., ` ls>./setOpenVpnCfg.txt `). The attack is remote, requires no authentication, and no user interaction beyond the request being processed by the router's web interface [1].
Impact
Successful exploitation allows an attacker to execute arbitrary OS commands on the router's underlying system with the privileges of the web server (likely root). This leads to full compromise of the device, including the ability to exfiltrate data, install malware, or use the router for further attacks [1].
Mitigation
As of the publication date, no official patch has been released by Totolink. Users are advised to restrict access to the router's web interface to trusted networks and monitor for any firmware updates from the vendor. The vulnerability has been publicly disclosed with a PoC, increasing the risk of exploitation [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization in the setOpenVpnCfg handler allows attacker-controlled port value to be passed directly into a system command execution path."
Attack vector
An unauthenticated attacker sends a crafted POST request to /cgi-bin/cstecgi.cgi with topicurl set to "setOpenVpnCfg" and the port parameter containing shell metacharacters (e.g., backticks). The vulnerable sub_430C78 function reads the port value and passes it through snprintf into a buffer that is later executed by CsteSystem via execv() [ref_id=1]. Because the input is not sanitized, the attacker's injected OS command runs with the privileges of the web interface. The attack is remotely exploitable over the network with no authentication required.
Affected code
The vulnerable function is sub_430C78 in the file /cgi-bin/cstecgi.cgi of the Totolink A8000RU firmware version 7.1cu.643_b20200521 [ref_id=1]. This function reads the user-supplied port parameter and passes it via snprintf into a buffer that is subsequently executed by CsteSystem (defined in libcscommon.so), which calls execv() [ref_id=1].
What the fix does
No patch is provided in the bundle. The advisory [ref_id=1] identifies that the root cause is the lack of input validation on the port parameter before it reaches CsteSystem/execv(). To remediate, the vendor must add strict input validation or sanitization to reject shell metacharacters in the port parameter, or replace the system-call approach with a safe API that does not invoke a shell interpreter.
Preconditions
- networkAttacker must have network access to the router's web management interface
- authNo authentication required; the vulnerable endpoint is reachable without a valid session
Reproduction
Send a POST request to /cgi-bin/cstecgi.cgi with Content-Type application/x-www-form-urlencoded and a body containing: `{"topicurl":"setOpenVpnCfg","Enabled":"1","port":"\`ls>./setOpenVpnCfg.txt\`"}`. After the request, the file setOpenVpnCfg.txt will be created in the current directory with the directory listing as its content, confirming command execution [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/Litengzheng/vuldb_new2/blob/main/A8000RU/vul_344/README.mdmitreexploit
- vuldb.com/submit/813452mitrethird-party-advisory
- vuldb.com/vuln/365437mitrevdb-entrytechnical-description
- vuldb.com/vuln/365437/ctimitresignaturepermissions-required
- www.totolink.netmitreproduct
News mentions
0No linked articles in our index yet.