CVE-2026-7202

CVE-2026-7202 is an OS command injection vulnerability in the Totolink A8000RU router running firmware version 7.1cu.643_b20200521. It affects the setWiFiWpsStart function within the /cgi-bin/cstecgi.cgi CGI handler component, where manipulation of the wscDisabled argument enables arbitrary command execution. The issue is classified under CWE-77 (Command Injection) and CWE-78 (OS Command Injection), with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility and lack of prerequisites.

Any remote attacker can exploit this vulnerability without authentication by sending a crafted request to the affected CGI endpoint, potentially achieving full compromise of the device. Successful exploitation grants high-impact privileges, allowing confidentiality breaches, integrity modifications, and availability disruptions through injected OS commands on the underlying system.

Advisories from VulDB detail the vulnerability (entries 359802 and related CTI) and note public disclosure of an exploit via a GitHub repository containing a README for the A8000RU vulnerability. The manufacturer's site (totolink.net) is referenced, but no specific patches or mitigations are outlined in the available information; practitioners should check for firmware updates and apply network segmentation to exposed devices.