CVE-2026-7156
Published: 27 April 2026
Description
Adversaries may abuse Unix shell commands and scripts for execution.
Security Summary
CVE-2026-7156, published on 2026-04-27, is an OS command injection vulnerability (CWE-77, CWE-78) affecting the Totolink A8000RU router on firmware version 7.1cu.643_b20200521. The flaw resides in the CsteSystem function within the /cgi-bin/cstecgi.cgi file of the CGI Handler component, where manipulation of the HTTP argument enables arbitrary command execution.
With a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), the vulnerability is exploitable remotely by unauthenticated attackers requiring no user interaction or privileges. Successful exploitation allows attackers to inject and execute operating system commands, potentially resulting in high-impact compromise of confidentiality, integrity, and availability on the targeted device.
Advisories and references include a public exploit detailed in a GitHub repository at https://github.com/Litengzheng/vuldb_new2/blob/main/A8000RU/vul_320/README.md, along with VulDB entries at https://vuldb.com/vuln/359755, https://vuldb.com/submit/801142, and https://vuldb.com/vuln/359755/cti, plus the vendor site at https://www.totolink.net/. Practitioners should review these sources for any recommended mitigations, such as firmware patches.
The exploit is public and may be used, heightening the risk of active exploitation against unpatched Totolink A8000RU devices.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Unauthenticated remote OS command injection via public-facing router web CGI directly enables exploitation of public-facing application (T1190) and command execution via Unix Shell (T1059.004).