CVE-2026-7139
Published: 27 April 2026
Description
Adversaries may abuse Unix shell commands and scripts for execution.
Security Summary
CVE-2026-7139 is an OS command injection vulnerability (CWE-77, CWE-78) affecting the Totolink A8000RU router on firmware version 7.1cu.643_b20200521. The issue lies in the setWiFiAclRules function of the /cgi-bin/cstecgi.cgi CGI handler component, where manipulation of the "mode" argument triggers command injection.
The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), making it remotely exploitable over the network by unauthenticated attackers with low attack complexity and no user interaction. Exploitation enables arbitrary OS command execution, granting high-impact access to confidentiality, integrity, and availability of the affected device.
Advisories referenced in VulDB (vuln/359738 and related CTI) and a GitHub repository detail the vulnerability, with the exploit publicly available and usable. The vendor's site at totolink.net is listed, though no specific patches or mitigations are outlined in the provided references.
The published exploit elevates the risk of real-world exploitation against unpatched Totolink A8000RU devices.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is an unauthenticated remote OS command injection in a public-facing router web CGI interface (T1190: Exploit Public-Facing Application), directly enabling arbitrary Unix shell command execution (T1059.004) on the device.