Cyber Posture

CVE-2026-7204

Critical

Published: 28 April 2026

Published
28 April 2026
Modified
28 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0125 79.5th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability was determined in Totolink A8000RU 7.1cu.643_b20200521. This issue affects the function setPptpServerCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. This manipulation of the argument enable causes os command injection. The attack may be initiated remotely. The…

more

exploit has been publicly disclosed and may be utilized.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly prevents OS command injection by enforcing input validation on the untrusted 'enable' argument in the vulnerable CGI handler.

IA-8 Identification and Authentication (Non-organizational Users) good match
prevent

Requires identification and authentication for non-organizational users, blocking unauthenticated remote exploitation of the setPptpServerCfg function.

SI-2 Flaw Remediation good match
preventdetect

Mandates timely identification, reporting, and correction of flaws like this command injection vulnerability via firmware updates.

Security SummaryAI

CVE-2026-7204 is an OS command injection vulnerability affecting the Totolink A8000RU router on firmware version 7.1cu.643_b20200521. The flaw exists in the setPptpServerCfg function of the /cgi-bin/cstecgi.cgi file within the CGI Handler component, where manipulation of the "enable" argument triggers command injection (CWE-77, CWE-78).

The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity. Unauthenticated remote attackers can exploit it over the network with low complexity and no user interaction, achieving high impacts on confidentiality, integrity, and availability, such as full device compromise.

Advisories are available via VulDB entries (https://vuldb.com/vuln/359804, https://vuldb.com/submit/801530) and the vendor site (https://www.totolink.net/). An exploit has been publicly disclosed on GitHub (https://github.com/Litengzheng/vuldb_new2/blob/main/A8000RU/vul_323/README.md), enabling ready utilization by threat actors.

Details

CWE(s)
CWE-77CWE-78

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
Why these techniques?

CVE-2026-7204 is an unauthenticated OS command injection in a public-facing router web CGI interface, directly enabling T1190 (Exploit Public-Facing Application) for remote exploitation and T1059.004 (Unix Shell) via injected commands on the likely Linux-based router OS.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References