CVE-2026-7138

CVE-2026-7138 is an OS command injection vulnerability in the Totolink A8000RU router running firmware version 7.1cu.643_b20200521. The issue resides in the setNtpCfg function within the /cgi-bin/cstecgi.cgi CGI handler component, where manipulation of the 'tz' argument enables command injection. Associated with CWE-77 (Command Injection) and CWE-78 (OS Command Injection), it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity.

The vulnerability is exploitable remotely by unauthenticated attackers with network access, requiring low complexity and no user interaction. Successful exploitation allows arbitrary OS command execution on the device, potentially granting full control over the router, including data exfiltration, modification of configurations, or disruption of services.

References include a public exploit on GitHub at https://github.com/Litengzheng/vuldb_new2/blob/main/A8000RU/vul_313/README.md, VulDB entries detailing the issue (https://vuldb.com/vuln/359737 and related pages), and the vendor site https://www.totolink.net/. No specific patches or mitigations are detailed in the provided advisories, but the public exploit availability underscores the need for immediate firmware updates or network segmentation.

The exploit is public and may be used, increasing the risk of real-world attacks against exposed Totolink A8000RU devices.