CVE-2026-7240

Critical

Published: 28 April 2026

Published

28 April 2026

Modified

28 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0125 79.5th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability has been found in Totolink A8000RU 7.1cu.643_b20200521. This vulnerability affects the function setVpnAccountCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Such manipulation of the argument User leads to os command injection. The attack can be executed…

remotely. The exploit has been disclosed to the public and may be used.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents OS command injection by requiring validation and sanitization of the User argument in the vulnerable setVpnAccountCfg CGI function.

SI-2 Flaw Remediation good match

prevent

Requires timely remediation of the specific flaw in the Totolink A8000RU firmware, such as patching the CGI handler to eliminate the command injection vulnerability.

AC-3 Access Enforcement good match

prevent

Enforces approved access authorizations to block unauthenticated remote access to the vulnerable /cgi-bin/cstecgi.cgi endpoint.

Security SummaryAI

CVE-2026-7240 is an OS command injection vulnerability affecting the Totolink A8000RU router on firmware version 7.1cu.643_b20200521. The flaw resides in the setVpnAccountCfg function within the /cgi-bin/cstecgi.cgi file of the CGI Handler component, where manipulation of the User argument enables command injection.

The vulnerability is remotely exploitable over the network with low complexity, requiring no privileges, user interaction, or special conditions, as indicated by its CVSS 3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Any unauthenticated attacker with network access can trigger it, potentially achieving high impacts on confidentiality, integrity, and availability. It maps to CWE-77 (Command Injection) and CWE-78 (OS Command Injection).

Advisories and additional details, including a publicly disclosed exploit, are referenced on VulDB (vuldb.com/vuln/359847) and a GitHub repository (github.com/Litengzheng/vuldb_new2/blob/main/A8000RU/vul_324/README.md), with the vendor site at totolink.net. The exploit has been made public and may be used in attacks.

Details

CWE(s): CWE-77 CWE-78

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability is an unauthenticated remote OS command injection in the public-facing CGI web interface of a router, directly enabling exploitation of a public-facing application (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/Litengzheng/vuldb_new2/blob/main/A8000RU/vul_324/README.md
cna@vuldb.com
https://vuldb.com/submit/802845
cna@vuldb.com
https://vuldb.com/vuln/359847
cna@vuldb.com
https://vuldb.com/vuln/359847/cti
cna@vuldb.com
https://www.totolink.net/
cna@vuldb.com