Totolink A8000RU Web Management cstecgi.cgi setWanCfg os command injection
Description
A vulnerability was identified in Totolink A8000RU 7.1cu.643_b20200521. The impacted element is the function setWanCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Such manipulation of the argument enabled leads to os command injection. The attack may be performed from remote. The exploit is publicly available and might be used.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Remote OS command injection in Totolink A8000RU firmware 7.1cu.643_b20200521 allows unauthenticated attackers to execute arbitrary commands via the enabled parameter in setWanCfg.
Vulnerability
The Totolink A8000RU router running firmware version 7.1cu.643_b20200521 contains an OS command injection vulnerability in the setWanCfg function of the /cgi-bin/cstecgi.cgi script. The enabled parameter is read and passed through Uci_Set_Str_By_Idx and eventually to CsteSystem, which executes the string via execv() without sanitization [1]. An attacker can inject arbitrary OS commands by including them in backticks or other shell metacharacters within the enabled parameter.
Exploitation
An attacker with network access to the router's web interface can send a crafted HTTP POST request to /cgi-bin/cstecgi.cgi with topicurl set to setWanCfg and the enabled parameter containing a command wrapped in backticks (e.g., ` ls>./setWanCfg.txt `). No authentication is required, as the PoC demonstrates successful execution with a session cookie that may not be validated [1]. The command is executed by the system with the privileges of the web server (typically root).
Impact
Successful exploitation allows an attacker to execute arbitrary OS commands on the router, leading to full device compromise. This can result in unauthorized access to network traffic, modification of router configuration, installation of malware, or use of the device as a pivot point for further attacks on the internal network.
Mitigation
As of the publication date, no official patch has been released by Totolink for this vulnerability. Users are advised to restrict remote access to the router's management interface by disabling WAN-side administration and using firewall rules to limit access to trusted IP addresses. The device may be end-of-life; consider replacing it with a supported model. This CVE is not currently listed in the Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The `enabled` parameter is read from user input and inserted into an OS command string via `snprintf` without sanitization, then executed by `execv()` in `CsteSystem`."
Attack vector
An unauthenticated remote attacker sends a crafted POST request to `/cgi-bin/cstecgi.cgi` with the `topicurl` set to `setWanCfg` and the `enabled` argument containing shell metacharacters. The researcher's proof-of-concept uses backticks around `ls>./setWanCfg.txt` as the value of `enabled` [ref_id=1]. Because the value is inserted into a command string via `snprintf` and then executed by `execv()` without sanitization, the injected OS command runs on the device [ref_id=1].
Affected code
The vulnerable function is `setWanCfg` in the file `/cgi-bin/cstecgi.cgi`. The researcher identifies the internal function `sub_42D068` which reads the user-provided `enabled` parameter and passes it through `Uci_Set_Str_By_Idx` and `Uci_Set_Str`, eventually reaching `CsteSystem` which calls `execv()` to execute the constructed command [ref_id=1].
What the fix does
No patch is provided in the bundle. The advisory does not include a fix or remediation from the vendor [ref_id=1]. To close the vulnerability, the `enabled` parameter value must be sanitized or validated before being inserted into the command string, or the architecture should avoid passing user-controlled input directly to OS command execution functions such as `execv()`.
Preconditions
- networkThe attacker must be able to reach the router's web management interface over the network.
- authNo authentication is required; the PoC does not include any authentication step beyond a session cookie which may be obtained trivially.
Reproduction
Send a POST request to `http://
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/Litengzheng/vuldb_new2/blob/main/A8000RU/vul_346/README.mdmitreexploit
- vuldb.com/submit/813457mitrethird-party-advisory
- vuldb.com/vuln/365439mitrevdb-entrytechnical-description
- vuldb.com/vuln/365439/ctimitresignaturepermissions-required
- www.totolink.netmitreproduct
News mentions
0No linked articles in our index yet.