CVE-2026-7154
Published: 27 April 2026
Description
Adversaries may abuse Unix shell commands and scripts for execution.
Security Summary
CVE-2026-7154 is an OS command injection vulnerability affecting the Totolink A8000RU router on firmware version 7.1cu.643_b20200521. The flaw exists in the setAdvancedInfoShow function of the /cgi-bin/cstecgi.cgi file within the CGI Handler component, where manipulation of the tty_server argument enables arbitrary OS command execution. It is associated with CWE-77 (Command Injection) and CWE-78 (OS Command Injection).
The vulnerability carries a CVSS v3.1 base score of 9.8 (Critical) with the vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. Unauthenticated remote attackers can exploit it over the network with low complexity and no user interaction required, achieving high impacts on confidentiality, integrity, and availability, such as full device compromise through arbitrary command execution.
An exploit has been publicly disclosed on GitHub at https://github.com/Litengzheng/vuldb_new2/blob/main/A8000RU/vul_318/README.md, with further details in VulDB records including https://vuldb.com/vuln/359753 and https://vuldb.com/submit/801140. The vendor site https://www.totolink.net/ is referenced for potential updates, though specific patch or mitigation guidance is not detailed in available sources.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is an unauthenticated OS command injection in a public-facing router web CGI interface (T1190: Exploit Public-Facing Application), directly enabling arbitrary Unix shell command execution (T1059.004: Unix Shell).