CVE-2026-7152

CVE-2026-7152 is an OS command injection vulnerability affecting the Totolink A8000RU router running firmware version 7.1cu.643_b20200521. The issue resides in the setTelnetCfg function within the /cgi-bin/cstecgi.cgi file of the CGI Handler component, where manipulation of the telnet_enabled argument enables arbitrary command execution. Published on 2026-04-27, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWEs-77 (Command Injection) and CWE-78 (OS Command Injection).

The vulnerability can be exploited remotely by unauthenticated attackers with network access, requiring low complexity and no user interaction. Successful exploitation allows attackers to inject and execute arbitrary operating system commands, potentially resulting in high-impact confidentiality, integrity, and availability compromises, such as full router compromise, data exfiltration, or persistent access.

Advisories from VulDB detail the vulnerability (vuln/359751) and provide a submission entry (submit/801138), while a GitHub repository (Litengzheng/vuldb_new2) hosts a publicly available exploit in its README.md file. The Totolink vendor website (totolink.net) is referenced, though specific patch details are not outlined in the available sources.