CVE-2026-7124

Critical

Published: 27 April 2026

Published

27 April 2026

Modified

27 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0125 79.5th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability was determined in Totolink A8000RU 7.1cu.643_b20200521. Affected by this vulnerability is the function setIpv6LanCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Executing a manipulation of the argument addrPrefixLen can lead to os command injection. The attack…

can be launched remotely. The exploit has been publicly disclosed and may be utilized.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly implements input validation mechanisms on CGI parameters like addrPrefixLen to block OS command injection exploits.

SI-2 Flaw Remediation good match

prevent

Requires identification, reporting, and correction of flaws such as the command injection vulnerability in setIpv6LanCfg function.

SI-9 Information Input Restrictions good match

prevent

Restricts CGI input parameters like addrPrefixLen to authorized types and formats, preventing malicious command injection payloads.

Security SummaryAI

CVE-2026-7124 is an OS command injection vulnerability in the Totolink A8000RU router running firmware version 7.1cu.643_b20200521. The flaw affects the setIpv6LanCfg function within the /cgi-bin/cstecgi.cgi CGI handler component, where manipulation of the addrPrefixLen argument triggers command injection. It is classified under CWE-77 (Command Injection) and CWE-78 (OS Command Injection), with a CVSS v3.1 base score of 9.8.

The vulnerability enables remote exploitation without authentication or user interaction (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Attackers can send crafted requests to the exposed CGI endpoint, injecting arbitrary OS commands to achieve high-impact compromise, including data exfiltration, modification, or denial of service on the affected router.

Advisories and references, including those from VulDB and the Totolink vendor site, provide details on the issue, while a proof-of-concept exploit is publicly available on GitHub. The exploit has been disclosed and may be utilized in attacks.

Details

CWE(s): CWE-77 CWE-78

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.008 Network Device CLI Execution

Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.

attack.mitre.org →

Why these techniques?

The vulnerability is an unauthenticated OS command injection in a public-facing CGI endpoint on a router, directly enabling exploitation of public-facing applications (T1190) and execution of arbitrary commands via network device CLI abuse (T1059.008).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/Litengzheng/vuldb_new2/tree/main/A8000RU/vul_309/README.md
cna@vuldb.com
https://vuldb.com/submit/801005
cna@vuldb.com
https://vuldb.com/vuln/359723
cna@vuldb.com
https://vuldb.com/vuln/359723/cti
cna@vuldb.com
https://www.totolink.net/
cna@vuldb.com