CVE-2026-7243

Critical

Published: 28 April 2026

Published

28 April 2026

Modified

28 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0125 79.5th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability was identified in Totolink A8000RU 7.1cu.643_b20200521. The affected element is the function setRadvdCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument maxRtrAdvInterval leads to os command injection. It is possible to initiate…

the attack remotely. The exploit is publicly available and might be used.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents OS command injection by validating and sanitizing the maxRtrAdvInterval input to the vulnerable setRadvdCfg CGI function.

SI-2 Flaw Remediation good match

prevent

Remediates the command injection flaw in the Totolink A8000RU firmware by applying vendor patches or updates promptly after vulnerability identification.

AC-3 Access Enforcement partial match

prevent

Blocks unauthenticated remote access to the exposed /cgi-bin/cstecgi.cgi endpoint, mitigating exploitation of the no-privilege-required vulnerability.

Security SummaryAI

CVE-2026-7243 is an OS command injection vulnerability in the Totolink A8000RU router running firmware version 7.1cu.643_b20200521. The issue resides in the setRadvdCfg function within the /cgi-bin/cstecgi.cgi file of the CGI Handler component. By manipulating the maxRtrAdvInterval argument, an attacker can inject arbitrary operating system commands. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-77 (Command Injection) and CWE-78 (OS Command Injection).

The vulnerability enables remote exploitation without authentication, user interaction, or special privileges, allowing unauthenticated attackers anywhere on the network to target exposed router instances. Successful exploitation grants high-impact access to confidentiality, integrity, and availability, potentially enabling full remote code execution, data theft, device takeover, or denial of service.

Advisories from VulDB detail the vulnerability (vuln/359850) and related CTI, with a submission entry (submit/803266), while a GitHub repository (Litengzheng/vuldb_new2) provides a publicly available exploit in its README.md for the A8000RU. The vendor's site (totolink.net) is referenced but offers no specific patch details in the provided sources. Security practitioners should isolate affected devices and monitor for exploit attempts given the public PoC.

Details

CWE(s): CWE-77 CWE-78

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.008 Network Device CLI Execution

Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.

attack.mitre.org →

Why these techniques?

The vulnerability is a remote unauthenticated OS command injection in a public-facing web CGI interface on a router (network device), directly enabling exploitation of public-facing applications (T1190) and command execution on network device CLI/shell (T1059.008).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/Litengzheng/vuldb_new2/blob/main/A8000RU/vul_327/README.md
cna@vuldb.com
https://vuldb.com/submit/803266
cna@vuldb.com
https://vuldb.com/vuln/359850
cna@vuldb.com
https://vuldb.com/vuln/359850/cti
cna@vuldb.com
https://www.totolink.net/
cna@vuldb.com