CVE-2026-7122

Critical

Published: 27 April 2026

Published

27 April 2026

Modified

27 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0125 79.5th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability has been found in Totolink A8000RU 7.1cu.643_b20200521. This impacts the function setUPnPCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Such manipulation of the argument enable leads to os command injection. It is possible to launch the…

attack remotely. The exploit has been disclosed to the public and may be used.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents OS command injection by validating the 'enable' argument passed to the setUPnPCfg function in the vulnerable CGI handler.

SI-2 Flaw Remediation good match

prevent

Remediates the known flaw in Totolink A8000RU firmware version 7.1cu.643_b20200521 through testing and application of vendor patches.

SC-7 Boundary Protection good match

prevent

Enforces boundary protection to monitor and control remote network access to the publicly exposed vulnerable /cgi-bin/cstecgi.cgi endpoint.

Security SummaryAI

CVE-2026-7122 is an OS command injection vulnerability in Totolink A8000RU router firmware version 7.1cu.643_b20200521. The issue affects the setUPnPCfg function in the /cgi-bin/cstecgi.cgi file of the CGI Handler component, where manipulation of the "enable" argument enables command injection (CWE-77, CWE-78). Published on 2026-04-27, it carries a CVSS 3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity.

Remote attackers require only network access, with no authentication, privileges, or user interaction needed, and low attack complexity. Exploitation allows arbitrary OS command execution on the device, potentially leading to full compromise including data theft, modification, or denial of service.

Advisories and references, including VulDB entries (vuldb.com/vuln/359721) and a GitHub repository with exploit details (github.com/Litengzheng/vuldb_new2/blob/main/A8000RU/vul_307/README.md), document the issue; the Totolink vendor site (totolink.net) should be checked for patches or updates.

The exploit has been publicly disclosed and may be used in attacks.

Details

CWE(s): CWE-77 CWE-78

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.008 Network Device CLI Execution

Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.

attack.mitre.org →

Why these techniques?

CVE enables unauthenticated remote OS command injection via public-facing web CGI interface on router, directly facilitating Exploit Public-Facing Application (T1190) and Network Device CLI execution (T1059.008).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/Litengzheng/vuldb_new2/blob/main/A8000RU/vul_307/README.md
cna@vuldb.com
https://vuldb.com/submit/800934
cna@vuldb.com
https://vuldb.com/vuln/359721
cna@vuldb.com
https://vuldb.com/vuln/359721/cti
cna@vuldb.com
https://www.totolink.net/
cna@vuldb.com