Totolink A8000RU Web Management cstecgi.cgi setIpQosRules os command injection
Description
A vulnerability was determined in Totolink A8000RU 7.1cu.643_b20200521. This affects the function setIpQosRules of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. This manipulation of the argument Comment causes os command injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In Totolink A8000RU firmware 7.1cu.643_b20200521, the setIpQosRules function in /cgi-bin/cstecgi.cgi passes a user-controlled Comment parameter into an OS command without sanitization, allowing remote attackers to execute arbitrary commands.
Vulnerability
The vulnerability resides in the setIpQosRules function within the file /cgi-bin/cstecgi.cgi of the Totolink A8000RU router, firmware version 7.1cu.643_b20200521. The function reads the Comment parameter from a POST request and passes its value to the Uci_Set_Str function via snprintf. The resulting string is subsequently handled by CsteSystem, which ultimately executes it via execv(). Because the Comment value is not sanitized, an attacker can inject arbitrary OS commands [1].
Exploitation
An attacker can exploit this vulnerability by sending a crafted HTTP POST request to the /cgi-bin/cstecgi.cgi endpoint. The request must include the parameter topicurl set to setIpQosRules along with a Comment field containing a command injection payload, for example backtick-enclosed shell commands. The attack requires network access to the vulnerable router and does not require authentication—the provided PoC uses a session cookie but the endpoint is accessible from the LAN. The publicly available PoC demonstrates the injection by writing a file to the filesystem [1].
Impact
Successful exploitation allows a remote attacker to execute arbitrary OS commands on the router with the privileges of the web server (likely root). This leads to full compromise of the device, including data exfiltration, persistent backdoor installation, and use of the router as a pivot for further attacks on the internal network [1].
Mitigation
As of the publication date (2026-05-25), no patched firmware version has been released by Totolink. Users should monitor the vendor's download page for updates: https://www.totolink.net/home/menu/detail/menu_listtpl/download/id/176/ids/36.html [1]. If no patch becomes available, consider isolating the router from untrusted networks and restricting administrative interface access to trusted hosts only.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization on the `comment` parameter allows OS command injection via shell metacharacters."
Attack vector
An attacker sends a crafted HTTP POST request to `/cgi-bin/cstecgi.cgi` with the `topicurl` set to `setIpQosRules` and includes a `comment` parameter containing shell metacharacters (e.g., backticks). The router's web management interface does not sanitize or validate the `comment` argument before passing it to OS command execution functions. Because the vulnerable service runs on the local network (typically at `192.168.6.2`), the attacker must have network access to the router's management interface, but no authentication bypass is required beyond a valid session cookie [ref_id=1].
Affected code
The vulnerability resides in the function `setIpQosRules` within the file `/cgi-bin/cstecgi.cgi`. The sub-function at `sub_429CA8` reads the user-supplied `comment` parameter and passes it to `Uci_Set_Str` (defined in `libcscommon.so`). The value is inserted into a buffer via `snprintf`, and that buffer is eventually passed to `CsteSystem`, which calls `execv()` to execute the constructed command [ref_id=1].
What the fix does
No patch is provided in the bundle. The advisory does not include a vendor fix or commit diff. To remediate this vulnerability, the vendor should implement strict input validation and sanitization on the `comment` parameter, rejecting or escaping shell metacharacters before the value is used in `snprintf` and subsequently passed to `CsteSystem`/`execv()`. Without such validation, an attacker can inject arbitrary OS commands through the `comment` field [ref_id=1].
Preconditions
- networkAttacker must have network access to the router's web management interface (typically on the local network at 192.168.6.2).
- authA valid session cookie (SESSION_ID) is required to authenticate the HTTP request.
- configThe vulnerable firmware version is 7.1cu.643_b20200521 on the Totolink A8000RU device.
Reproduction
1. Ensure the target Totolink A8000RU (firmware 7.1cu.643_b20200521) is accessible on the network (e.g., at 192.168.6.2). 2. Send a POST request to `/cgi-bin/cstecgi.cgi` with a valid `SESSION_ID` cookie and the following JSON body: `{"topicurl":"setIpQosRules","upBandwidth":"1","dwBandwidth":"1","comment":"\`ls>./setIpQosRules.txt\`"}`. 3. After the request is processed, verify that a file named `setIpQosRules.txt` was created in the current directory, containing the directory listing output from the `ls` command [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/Litengzheng/vuldb_new2/blob/main/A8000RU/vul_347/README.mdmitreexploit
- vuldb.com/submit/813458mitrethird-party-advisory
- vuldb.com/vuln/365456mitrevdb-entrytechnical-description
- vuldb.com/vuln/365456/ctimitresignaturepermissions-required
- www.totolink.netmitreproduct
News mentions
0No linked articles in our index yet.