Totolink A8000RU Web Management cstecgi.cgi setParentalRules os command injection
Description
A weakness has been identified in Totolink A8000RU 7.1cu.643_b20200521. Impacted is the function setParentalRules of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Executing a manipulation of the argument enable can lead to os command injection. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OS command injection in Totolink A8000RU router via the 'enable' parameter in setParentalRules allows remote attackers to execute arbitrary commands.
Vulnerability
A command injection vulnerability exists in Totolink A8000RU firmware version 7.1cu.643_b20200521 within the web management interface. The setParentalRules function in /cgi-bin/cstecgi.cgi reads a user-supplied enable parameter and passes it to Uci_Set_Str via snprintf, which eventually gets executed by CsteSystem using execv() [1]. No authentication is explicitly required, but the proof-of-concept uses a session cookie.
Exploitation
An attacker can send a crafted HTTP POST request to /cgi-bin/cstecgi.cgi with a malicious enable parameter containing command injection payloads (e.g., ` ls>./setParentalRules.txt `) [1]. The request can be made remotely, and no special privileges are required beyond network access to the router's management interface. The PoC demonstrates successful execution of arbitrary OS commands.
Impact
Successful exploitation allows an unauthenticated remote attacker to execute arbitrary operating system commands on the router with the privileges of the web server (likely root). This can lead to full device compromise, including data exfiltration, further network attacks, or denial of service.
Mitigation
As of the publication date, no official patch or firmware update has been released by Totolink. Users are advised to restrict access to the web management interface to trusted networks only, or disable remote management if possible. No workarounds are available.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The `setParentalRules` function passes the user-supplied `enable` parameter unsanitized into a command execution path (`CsteSystem`/`execv()`), allowing OS command injection."
Attack vector
An unauthenticated remote attacker sends a crafted POST request to `/cgi-bin/cstecgi.cgi` with a JSON body containing the `topicurl` set to `"setParentalRules"` and the `enable` parameter containing an OS command injection payload, such as `` `ls>./setParentalRules.txt` `` [ref_id=1]. The router's web management interface processes the request and the injected command is executed by the underlying system via `execv()` [ref_id=1]. No authentication is required beyond a valid session cookie, which can be obtained trivially.
Affected code
The vulnerability resides in the `setParentalRules` function within `/cgi-bin/cstecgi.cgi`. The function reads the user-supplied `enable` parameter and passes it to `Uci_Set_Str` (defined in `libcscommon.so`). The value is then inserted into a buffer via `snprintf`, and that buffer is ultimately executed by `CsteSystem` using `execv()` [ref_id=1].
What the fix does
No patch is provided in the bundle. The advisory does not specify any remediation from the vendor. To close this vulnerability, the application must validate or sanitize the `enable` parameter to ensure it does not contain shell metacharacters before passing it to `Uci_Set_Str` and subsequently to `CsteSystem`/`execv()` [ref_id=1]. Input should be restricted to expected values (e.g., boolean or enumerated strings) rather than being passed directly into a command execution path.
Preconditions
- networkThe attacker must have network access to the router's web management interface (typically on port 80/443).
- authA valid session cookie (SESSION_ID) is required, but the advisory indicates the attack is performed remotely and the PoC includes a session cookie obtained without authentication details.
- inputThe attacker sends a crafted JSON payload in the POST body with the enable parameter containing shell metacharacters.
Reproduction
1. Obtain a valid `SESSION_ID` cookie for the target TOTOLINK A8000RU router (firmware version 7.1cu.643_b20200521). 2. Send a POST request to `http://
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/Litengzheng/vuldb_new2/blob/main/A8000RU/vul_352/README.mdmitreexploit
- vuldb.com/submit/813463mitrethird-party-advisory
- vuldb.com/vuln/365459mitrevdb-entrytechnical-description
- vuldb.com/vuln/365459/ctimitresignaturepermissions-required
- www.totolink.netmitreproduct
News mentions
0No linked articles in our index yet.