Cyber Posture

CVE-2026-7037

Critical

Published: 26 April 2026

Published
26 April 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0125 79.5th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

A security flaw has been discovered in Totolink A8000RU 7.1cu.643_b20200521. This issue affects the function setVpnPassCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument pptpPassThru results in os command injection. The attack can be…

more

executed remotely. The exploit has been released to the public and may be used for attacks.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Requires validation of CGI inputs like pptpPassThru to block OS command injection exploits.

SI-2 Flaw Remediation good match
prevent

Mandates timely patching of the specific command injection flaw in the router firmware.

AC-14 Permitted Actions Without Identification or Authentication good match
prevent

Restricts sensitive unauthenticated actions such as VPN configuration changes via the vulnerable CGI endpoint.

Security SummaryAI

CVE-2026-7037 is an OS command injection vulnerability (CWE-77, CWE-78) affecting Totolink A8000RU routers on firmware version 7.1cu.643_b20200521. The issue exists in the setVpnPassCfg function of the /cgi-bin/cstecgi.cgi file within the CGI Handler component, where manipulation of the pptpPassThru argument enables arbitrary command execution on the underlying operating system.

The vulnerability is remotely exploitable over the network with low attack complexity and no authentication, privileges, or user interaction required, earning a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Successful exploitation allows attackers to achieve high impacts on confidentiality, integrity, and availability, potentially resulting in full device compromise, such as executing arbitrary code or disrupting router operations.

Advisories on VulDB (https://vuldb.com/vuln/359617, https://vuldb.com/vuln/359617/cti) and the manufacturer's site (https://www.totolink.net/) provide further details; a public exploit is available at https://github.com/Litengzheng/vuldb_new2/blob/main/A8000RU/vul_305/README.md, heightening the risk of widespread attacks against vulnerable devices.

Details

CWE(s)
CWE-77CWE-78

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
Why these techniques?

The vulnerability enables unauthenticated remote exploitation of a public-facing web application (router CGI interface) for arbitrary OS command execution, directly mapping to T1190 (Exploit Public-Facing Application) and T1059.004 (Unix Shell) as it involves command injection on the underlying OS.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References