CVE-2026-7125

Critical

Published: 27 April 2026

Published

27 April 2026

Modified

27 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0125 79.5th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability was identified in Totolink A8000RU 7.1cu.643_b20200521. Affected by this issue is the function setWiFiEasyCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument merge leads to os command injection. The attack may be…

initiated remotely. The exploit is publicly available and might be used.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents OS command injection by requiring validation of the untrusted 'merge' argument in the vulnerable setWiFiEasyCfg CGI function.

SI-2 Flaw Remediation good match

prevent

Mandates timely remediation of the specific firmware flaw enabling command injection through patching or updates.

RA-5 Vulnerability Monitoring and Scanning good match

detect

Facilitates identification of the CVE-2026-7125 vulnerability via monitoring and scanning, enabling proactive flaw remediation.

Security SummaryAI

CVE-2026-7125 is an OS command injection vulnerability affecting the Totolink A8000RU router running firmware version 7.1cu.643_b20200521. The issue resides in the setWiFiEasyCfg function within the /cgi-bin/cstecgi.cgi component of the CGI Handler, where manipulation of the "merge" argument enables arbitrary command execution. Classified under CWE-77 and CWE-78, it carries a CVSS v3.1 base score of 9.8, reflecting its critical severity due to network accessibility, low attack complexity, and lack of prerequisites.

The vulnerability can be exploited remotely by unauthenticated attackers with no privileges required, no user interaction needed, and low complexity, allowing initiation over the network. Successful exploitation grants high-impact access to confidentiality, integrity, and availability, potentially enabling full router compromise such as data theft, persistent access, or further network pivoting. A public exploit is available, increasing the risk of widespread abuse.

Advisories documented on VulDB (including vuln/359724 and related CTI/submit pages) detail the vulnerability and its discovery, while a GitHub repository provides exploit code in a README.md file. The Totolink vendor website is referenced, though specific patch details are not outlined in available information. Security practitioners should monitor for firmware updates and apply network segmentation to affected devices.

Details

CWE(s): CWE-77 CWE-78

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

Unauthenticated remote OS command injection via public-facing router web CGI enables exploitation of public-facing application (T1190) and Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/Litengzheng/vuldb_new2/blob/main/A8000RU/vul_310/README.md
cna@vuldb.com
https://vuldb.com/submit/801006
cna@vuldb.com
https://vuldb.com/vuln/359724
cna@vuldb.com
https://vuldb.com/vuln/359724/cti
cna@vuldb.com
https://www.totolink.net/
cna@vuldb.com