CVE-2026-7242

Critical

Published: 28 April 2026

Published

28 April 2026

Modified

28 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0125 79.5th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability was determined in Totolink A8000RU 7.1cu.643_b20200521. Impacted is the function setOpenVpnClientCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Executing a manipulation of the argument enabled can lead to os command injection. The attack may be performed…

from remote. The exploit has been publicly disclosed and may be utilized.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly requires validating the 'enabled' argument in the setOpenVpnClientCfg CGI function to block OS command injection exploits.

SI-2 Flaw Remediation good match

prevent

Mandates timely remediation of the specific command injection flaw in the Totolink router's CGI handler via firmware updates.

AC-3 Access Enforcement good match

prevent

Enforces authorized access to the vulnerable /cgi-bin/cstecgi.cgi endpoint, preventing unauthenticated remote manipulation of the 'enabled' argument.

Security SummaryAI

CVE-2026-7242 is an OS command injection vulnerability in the Totolink A8000RU router, specifically firmware version 7.1cu.643_b20200521. The flaw affects the setOpenVpnClientCfg function in the /cgi-bin/cstecgi.cgi CGI handler component, where manipulation of the "enabled" argument enables arbitrary OS command execution. Published on 2026-04-28, it is associated with CWE-77 (Command Injection) and CWE-78 (OS Command Injection) and carries a CVSS v3.1 base score of 9.8.

The vulnerability is exploitable remotely by unauthenticated attackers requiring no privileges, user interaction, or special conditions. Attackers can achieve high impacts on confidentiality, integrity, and availability, potentially leading to full device compromise through injected commands.

VulDB advisories document the issue and link to a publicly disclosed exploit in a GitHub repository. Practitioners should review the Totolink vendor site and referenced VulDB entries for mitigation guidance, such as firmware updates, given the availability of the exploit for potential use.

Details

CWE(s): CWE-77 CWE-78

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

CVE enables unauthenticated remote exploitation of a public-facing router web application (T1190), directly providing arbitrary OS command execution on a likely Unix/Linux-based router firmware (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/Litengzheng/vuldb_new2/blob/main/A8000RU/vul_326/README.md
cna@vuldb.com
https://vuldb.com/submit/803265
cna@vuldb.com
https://vuldb.com/vuln/359849
cna@vuldb.com
https://vuldb.com/vuln/359849/cti
cna@vuldb.com
https://www.totolink.net/
cna@vuldb.com