Totolink A8000RU Web Management cstecgi.cgi setAccessDeviceCfg os command injection
Description
A security flaw has been discovered in Totolink A8000RU 7.1cu.643_b20200521. This issue affects the function setAccessDeviceCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Performing a manipulation of the argument mac results in os command injection. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An OS command injection vulnerability in Totolink A8000RU firmware 7.1cu.643_b20200521 allows remote attackers to execute arbitrary commands via the mac parameter in setAccessDeviceCfg.
Vulnerability
A command injection vulnerability exists in Totolink A8000RU firmware version 7.1cu.643_b20200521 within the Web Management Interface. The function setAccessDeviceCfg in /cgi-bin/cstecgi.cgi reads the user-supplied mac parameter and passes it to Uci_Add_List via strcat. The value is then processed by CsteSystem, which ultimately calls execv(), allowing arbitrary OS commands to be executed. No authentication is required to trigger this vulnerability [1].
Exploitation
An unauthenticated attacker with network access to the device can send a crafted POST request to /cgi-bin/cstecgi.cgi with a JSON body containing "topicurl":"setAccessDeviceCfg" and a mac parameter containing a command injection payload enclosed in backticks. For example, setting mac to ` ls>./setAccessDeviceCfg.txt causes the router to execute the ls` command and write the output to a file. The exploit has been publicly released [1].
Impact
Successful exploitation allows an attacker to execute arbitrary operating system commands with the privileges of the web server process, typically root. This can lead to full compromise of the router, including data exfiltration, installation of malware, and use of the device as a pivot point for further network attacks [1].
Mitigation
As of the publication date, no official firmware update has been released by Totolink to address this vulnerability. Users should restrict access to the web management interface to trusted networks only, disable remote management if possible, and monitor for vendor updates. The public availability of a proof-of-concept exploit increases the risk of active exploitation [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization on the `mac` parameter allows shell metacharacters to be passed into an OS command executed via `execv()` [ref_id=1]."
Attack vector
An unauthenticated remote attacker sends a crafted POST request to `/cgi-bin/cstecgi.cgi` with the `topicurl` set to `setAccessDeviceCfg` and the `mac` parameter containing shell metacharacters (e.g., backticks). The router's firmware does not sanitize or escape the `mac` value before inserting it into an OS command string, allowing arbitrary command execution [ref_id=1]. The attack requires network access to the router's web interface but no prior authentication.
Affected code
The vulnerability resides in the `setAccessDeviceCfg` function (sub_428990) within `/cgi-bin/cstecgi.cgi`. The function reads the user-supplied `mac` parameter and concatenates it into a command buffer via `snprintf` and `strcat`, which is then passed to `Uci_Add_List` and ultimately executed by `CsteSystem` via `execv()` [ref_id=1].
What the fix does
No patch is provided in the bundle. The advisory does not specify a fix [ref_id=1]. To remediate this vulnerability, the vendor should implement strict input validation and sanitization on the `mac` parameter, rejecting or escaping shell metacharacters before the value is used in any OS command execution path. Additionally, the use of `execv()` with user-controlled data should be replaced with safer API calls that do not invoke a shell interpreter.
Preconditions
- networkAttacker must have network access to the router's web management interface (typically on port 80/443).
- authNo authentication is required; the PoC does not show any auth check before the vulnerable code path.
Reproduction
1. Send a POST request to `http://
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/Litengzheng/vuldb_new2/blob/main/A8000RU/vul_349/README.mdmitreexploit
- vuldb.com/submit/813460mitrethird-party-advisory
- vuldb.com/vuln/365458mitrevdb-entrytechnical-description
- vuldb.com/vuln/365458/ctimitresignaturepermissions-required
- www.totolink.netmitreproduct
News mentions
0No linked articles in our index yet.