CVE-2026-7153
Published: 27 April 2026
Description
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
Security Summary
CVE-2026-7153 is an OS command injection vulnerability affecting the Totolink A8000RU router on firmware version 7.1cu.643_b20200521. The flaw exists in the setMiniuiHomeInfoShow function within the /cgi-bin/cstecgi.cgi file of the CGI Handler component, where manipulation of the sys_info argument enables command injection. It is classified under CWE-77 (Command Injection) and CWE-78 (OS Command Injection), with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical.
The vulnerability is exploitable remotely by unauthenticated attackers with no user interaction required. Successful exploitation allows arbitrary OS command execution on the device, potentially leading to full compromise including data theft, modification of configurations, or disruption of router functionality.
Advisories referenced in VulDB entries (vuln/359752 and related pages) document the issue and its CTI implications, while a GitHub repository provides a public proof-of-concept exploit in a README file specific to this vulnerability. The vendor's site at totolink.net is listed, though no patch details are specified in the provided references.
An exploit has been publicly released, heightening the risk of real-world attacks against unpatched Totolink A8000RU devices.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is a remote, unauthenticated OS command injection in a public-facing CGI interface on a router, directly enabling exploitation of public-facing applications (T1190) and execution of commands via network device CLI (T1059.008).