CVE-2026-7140
Published: 27 April 2026
Description
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
Security Summary
CVE-2026-7140 is an OS command injection vulnerability affecting the Totolink A8000RU router on firmware version 7.1cu.643_b20200521. The flaw resides in the CsteSystem function of the /cgi-bin/cstecgi.cgi file within the CGI Handler component, where manipulation of the HTTP argument enables command injection. It is classified under CWE-77 and CWE-78, with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
The vulnerability can be exploited remotely by unauthenticated attackers with low complexity and no user interaction required. Successful exploitation allows arbitrary OS command execution on the device, granting high-impact access to confidentiality, integrity, and availability.
Advisories and additional details are documented on VulDB (https://vuldb.com/vuln/359739, https://vuldb.com/vuln/359739/cti, https://vuldb.com/submit/801110) and the vendor site (https://www.totolink.net/). A public exploit disclosure is available on GitHub (https://github.com/Litengzheng/vuldb_new2/blob/main/A8000RU/vul_315/README.md), indicating it may be actively used.
The exploit has been disclosed to the public and may be used against vulnerable devices.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
CVE enables remote exploitation of public-facing web application (T1190) leading to arbitrary OS command injection, facilitating Network Device CLI abuse (T1059.008).