Totolink A8000RU Web Management cstecgi.cgi UploadFirmwareFile os command injection
Description
A vulnerability was determined in Totolink A8000RU 7.1cu.643_b20200521. The affected element is the function UploadFirmwareFile of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. This manipulation of the argument FileName causes os command injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OS command injection in Totolink A8000RU firmware 7.1cu.643_b20200521 allows remote attackers to execute arbitrary commands via the FileName parameter in the UploadFirmwareFile endpoint.
Vulnerability
An OS command injection vulnerability exists in the Totolink A8000RU router running firmware version 7.1cu.643_b20200521. The flaw resides in the UploadFirmwareFile function within the /cgi-bin/cstecgi.cgi script. The FileName parameter is read from user input and passed through __sprintf_chk into a buffer, which is then processed by the CsteSystem function that ultimately calls execv(). No sanitization is applied to the FileName value, allowing an attacker to inject arbitrary OS commands. The vulnerability can be triggered remotely by sending a crafted POST request to the web management interface [1].
Exploitation
An attacker with network access to the router's web management interface can exploit this vulnerability by sending a POST request to /cgi-bin/cstecgi.cgi with a malicious FileName parameter containing command injection payloads. The proof-of-concept demonstrates setting FileName to ` ls>./UploadFirmwareFile.txt which results in the ls command being executed and its output written to a file. The request uses Content-Type: application/x-www-form-urlencoded` and includes a session cookie, though the vulnerability does not require prior authentication according to the public disclosure [1].
Impact
Successful exploitation allows an attacker to execute arbitrary OS commands on the router with the privileges of the web server process. This can lead to full compromise of the device, including reading sensitive information, modifying configuration, installing persistent malware, or using the router as a pivot for further network attacks. The proof-of-concept confirms command execution by creating a file with directory listing output [1].
Mitigation
As of the publication date, no official patch has been released by Totolink. Users should restrict network access to the web management interface to trusted networks only, disable remote management if not required, and monitor the vendor's support page for firmware updates. The device may be end-of-life; if so, replacement with a supported model is recommended. This vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities catalog [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing sanitization of the FileName argument in the UploadFirmwareFile handler allows an attacker to inject arbitrary OS commands."
Attack vector
An unauthenticated remote attacker sends a crafted POST request to /cgi-bin/cstecgi.cgi with the topicurl set to "UploadFirmwareFile" and the FileName parameter containing a command injection payload wrapped in backticks [ref_id=1]. The router's sub_4328D0 function passes the unsanitized FileName value through __sprintf_chk into a buffer that is later executed by CsteSystem via execv() [ref_id=1]. The attacker only needs network access to the router's web interface; no authentication is required. The PoC demonstrates injecting `ls>./UploadFirmwareFile.txt` to write directory listing output to a file [ref_id=1].
Affected code
The vulnerable function is sub_4328D0 in the file /cgi-bin/cstecgi.cgi [ref_id=1]. This function reads the user-supplied FileName parameter and passes it through __sprintf_chk into a buffer that is subsequently handled by CsteSystem, which calls execv() to execute the constructed command [ref_id=1].
What the fix does
No patch is provided in the bundle. The advisory does not specify a fix. To remediate this vulnerability, the vendor should validate and sanitize the FileName input to reject shell metacharacters such as backticks, semicolons, and pipe symbols before the value is used in any system command execution path. Input should be restricted to expected firmware filename patterns (e.g., alphanumeric characters, dots, and underscores only).
Preconditions
- networkNetwork access to the router's web management interface (typically on port 80 or 443)
- authNo authentication required; the vulnerable endpoint is accessible without a valid session
- inputThe attacker must send a POST request with Content-Type application/x-www-form-urlencoded
Reproduction
1. Ensure the target TOTOLINK A8000RU router (firmware version 7.1cu.643_b20200521) is reachable on the network. 2. Send a POST request to http://<router-ip>/cgi-bin/cstecgi.cgi with the body: `{"topicurl":"UploadFirmwareFile","Filename":"\`ls>./UploadFirmwareFile.txt\`"}` and the header `Content-Type: application/x-www-form-urlencoded; charset=UTF-8`. 3. Verify command execution by requesting the created file at http://<router-ip>/UploadFirmwareFile.txt, which will contain the directory listing [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/Litengzheng/vuldb_new2/blob/main/A8000RU/vul_343/README.mdmitreexploit
- vuldb.com/submit/813454mitrethird-party-advisory
- vuldb.com/vuln/365438mitrevdb-entrytechnical-description
- vuldb.com/vuln/365438/ctimitresignaturepermissions-required
- www.totolink.netmitreproduct
News mentions
0No linked articles in our index yet.