CVE-2026-7155
Published: 27 April 2026
Description
Adversaries may abuse Unix shell commands and scripts for execution.
Security Summary
CVE-2026-7155 is an OS command injection vulnerability affecting the Totolink A8000RU router on firmware version 7.1cu.643_b20200521. It targets the setLoginPasswordCfg function in the /cgi-bin/cstecgi.cgi file of the CGI Handler component, where manipulation of the 'admpass' argument enables arbitrary command execution. The issue is classified under CWE-77 and CWE-78, with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
The vulnerability is exploitable remotely by unauthenticated attackers requiring low complexity and no user interaction. Successful exploitation allows attackers to inject and execute operating system commands, achieving high impacts on confidentiality, integrity, and availability, which could lead to full device compromise such as data theft, configuration changes, or denial of service.
References include VulDB advisories at vuldb.com/vuln/359754 and vuldb.com/vuln/359754/cti, a public exploit disclosure on GitHub at github.com/Litengzheng/vuldb_new2/blob/main/A8000RU/vul_319/README.md, and the Totolink vendor site at totolink.net, which may detail patches or mitigation steps. The exploit has been publicly disclosed and may be used.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is a remotely exploitable OS command injection in a public-facing web CGI interface on a router (T1190: Exploit Public-Facing Application), enabling arbitrary Unix shell command execution (T1059.004: Unix Shell).