Cyber Posture

CVE-2026-7241

Critical

Published: 28 April 2026

Published
28 April 2026
Modified
28 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0125 79.5th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability was found in Totolink A8000RU 7.1cu.643_b20200521. This issue affects the function setWiFiBasicCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Performing a manipulation of the argument wifiOff results in os command injection. The attack is possible to…

more

be carried out remotely. The exploit has been made public and could be used.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly prevents OS command injection by validating and sanitizing the wifiOff argument in the setWiFiBasicCfg CGI function.

SI-2 Flaw Remediation good match
prevent

Remediates the specific command injection flaw in Totolink A8000RU firmware version 7.1cu.643_b20200521 through timely flaw correction and patching.

AC-14 Permitted Actions Without Identification or Authentication good match
prevent

Restricts unauthenticated remote access to dangerous CGI handlers like /cgi-bin/cstecgi.cgi, blocking exploitation of the wifiOff parameter.

Security SummaryAI

CVE-2026-7241 is an OS command injection vulnerability (CWE-77, CWE-78) affecting the Totolink A8000RU router on firmware version 7.1cu.643_b20200521. The flaw exists in the setWiFiBasicCfg function of the /cgi-bin/cstecgi.cgi file within the CGI Handler component, where manipulation of the wifiOff argument triggers command injection.

Attackers can exploit this vulnerability remotely without authentication, privileges, or user interaction, requiring only low attack complexity. Successful exploitation yields high impacts on confidentiality, integrity, and availability, earning a CVSS 3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Advisories detail the issue on VulDB (https://vuldb.com/vuln/359848 and related pages) and include a public exploit in a GitHub repository (https://github.com/Litengzheng/vuldb_new2/blob/main/A8000RU/vul_325/README.md). The vendor site is available at https://www.totolink.net/, though specific patch details are not outlined in the referenced sources.

The exploit has been made public and could be used, as stated in the CVE description published on 2026-04-28.

Details

CWE(s)
CWE-77CWE-78

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.008 Network Device CLI Execution
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
attack.mitre.org →
Why these techniques?

Unauthenticated remote OS command injection in public-facing router CGI directly enables exploitation of public-facing application (T1190) and command execution via network device CLI (T1059.008).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References