Totolink A8000RU Web Management cstecgi.cgi setPasswordCfg os command injection
Description
A vulnerability was identified in Totolink A8000RU 7.1cu.643_b20200521. This vulnerability affects the function setPasswordCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Such manipulation of the argument admpass leads to os command injection. The attack can be executed remotely. The exploit is publicly available and might be used.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
TOTOLINK A8000RU firmware 7.1cu.643_b20200521 allows remote OS command injection via the `admpass` parameter in setPasswordCfg, enabling unauthenticated attackers to execute arbitrary commands.
Vulnerability
The setPasswordCfg endpoint in /cgi-bin/cstecgi.cgi on TOTOLINK A8000RU firmware version 7.1cu.643_b20200521 fails to sanitize user input passed to the admpass argument. The value is inserted into a command string via snprintf and later executed by CsteSystem using execv(), allowing injection of arbitrary OS commands. No authentication is required to reach this code path, though the router must be reachable over the network. [1]
Exploitation
An attacker can send a crafted POST request to /cgi-bin/cstecgi.cgi with a JSON body containing "topicurl":"setPasswordCfg" and an admpass parameter that includes backtick-delimited commands. For example, ` ls>./setPasswordCfg.txt ` writes command output to a file. The PoC demonstrates a simple HTTP request; an attacker needs only network access to the router's management interface (typically on port 80/443) and can exchange the payload for any OS command. [1]
Impact
Successful exploitation results in arbitrary remote code execution as the root (or equivalent high-privilege) user on the device. An attacker can read sensitive files, modify router configuration, install persistent malware, or disrupt network operations. The full system is compromised, with no privilege boundary remaining. [1]
Mitigation
No official fix or patched firmware version has been released by TOTOLINK as of the publication date. The vendor has not acknowledged the vulnerability or provided a workaround. Users should consider isolating the management interface from untrusted networks (e.g., do not expose port 80/443 to the internet) and monitor for vendor updates. The vulnerability is already publicly exploited, so immediate mitigation is strongly recommended. [1]
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization in the `setPasswordCfg` handler allows user-supplied shell metacharacters in the `admpass` argument to be passed directly to `execv()` via `CsteSystem`."
Attack vector
An attacker sends a crafted POST request to `/cgi-bin/cstecgi.cgi` with the `topicurl` set to `setPasswordCfg` and the `admpass` parameter containing shell metacharacters such as backticks. The router's firmware does not sanitize or validate the `admpass` input before incorporating it into a command string that is passed to `execv()`. This allows remote, unauthenticated attackers to inject arbitrary OS commands, which are executed with the privileges of the web management interface [ref_id=1].
Affected code
The vulnerability resides in the function `setPasswordCfg` within the file `/cgi-bin/cstecgi.cgi`. Specifically, the `sub_426150` function reads the user-provided `admpass` parameter and passes its value to `Uci_Set_Str`, which is defined in `libcscommon.so`. The value of `admpass` is inserted into a buffer `v11` using `snprintf`, and `v11` is then handled by `CsteSystem`, which ultimately calls `execv()` to execute the constructed command [ref_id=1].
What the fix does
No patch is provided in the bundle. The advisory does not specify any remediation from the vendor. To close this vulnerability, the application must validate and sanitize the `admpass` input to reject shell metacharacters (e.g., backticks, semicolons, pipes) before the value is used in any command construction. Input should be treated as a literal string parameter rather than being concatenated into a command string that is passed to `execv()` [ref_id=1].
Preconditions
- networkThe attacker must have network access to the router's web management interface on port 80/443.
- configThe router must be running Totolink A8000RU firmware version 7.1cu.643_b20200521.
- authNo authentication is required; the PoC request does not include valid credentials beyond a session cookie.
Reproduction
1. Ensure the target router (Totolink A8000RU, firmware 7.1cu.643_b20200521) is reachable at an IP such as 192.168.6.2. 2. Send the following HTTP POST request using a tool like curl or Burp Suite:
``` POST /cgi-bin/cstecgi.cgi HTTP/1.1 Host: 192.168.6.2 Content-Length: 75 Content-Type: application/x-www-form-urlencoded; charset=UTF-8
{"topicurl":"setPasswordCfg","admpass":"`ls>./setPasswordCfg.txt`"} ```
3. Verify command execution by checking that a file named `setPasswordCfg.txt` was created in the current directory, containing the directory listing [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/Litengzheng/vuldb_new2/blob/main/A8000RU/vul_348/README.mdmitreexploit
- vuldb.com/submit/813459mitrethird-party-advisory
- vuldb.com/vuln/365457mitrevdb-entrytechnical-description
- vuldb.com/vuln/365457/ctimitresignaturepermissions-required
- www.totolink.netmitreproduct
News mentions
0No linked articles in our index yet.