CVE-2026-7137

CVE-2026-7137 is an OS command injection vulnerability in the Totolink A8000RU router running firmware version 7.1cu.643_b20200521. The issue resides in the setStorageCfg function of the /cgi-bin/cstecgi.cgi file within the CGI Handler component, where manipulation of the sambaEnabled argument enables injection of operating system commands. It is associated with CWE-77 (Command Injection) and CWE-78 (OS Command Injection).

Remote attackers can exploit this vulnerability without authentication, as indicated by its CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). An unauthenticated adversary accessible over the network can send a crafted request to the affected endpoint, executing arbitrary OS commands on the device. This could result in full system compromise, including data theft, modification, or denial of service.

Advisories documented on VulDB (vuln/359736) detail the vulnerability and reference a public exploit disclosure. A GitHub repository at https://github.com/Litengzheng/vuldb_new2/blob/main/A8000RU/vul_312/README.md provides exploit code that may be used for remote attacks. The Totolink vendor website (https://www.totolink.net/) is listed for further reference, though no specific patches are mentioned in the available information.

The exploit has been publicly disclosed, increasing the risk of widespread exploitation against unpatched Totolink A8000RU devices.