Cyber Posture

CVE-2026-7244

Critical

Published: 28 April 2026

Published
28 April 2026
Modified
28 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0125 79.5th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

A security flaw has been discovered in Totolink A8000RU 7.1cu.643_b20200521. The impacted element is the function setWiFiEasyGuestCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument merge results in os command injection. It is possible…

more

to launch the attack remotely. The exploit has been released to the public and may be used for attacks.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

SI-10 directly prevents OS command injection by requiring validation of untrusted inputs such as the 'merge' argument in the vulnerable setWiFiEasyGuestCfg CGI function.

SI-2 Flaw Remediation good match
prevent

SI-2 mandates timely flaw remediation through firmware patching to eliminate the specific command injection vulnerability in the Totolink A8000RU router.

AC-3 Access Enforcement good match
prevent

AC-3 enforces approved authorizations to block unauthenticated remote access to the vulnerable /cgi-bin/cstecgi.cgi endpoint.

Security SummaryAI

CVE-2026-7244 is an OS command injection vulnerability affecting the Totolink A8000RU router on firmware version 7.1cu.643_b20200521. The issue lies in the setWiFiEasyGuestCfg function of the /cgi-bin/cstecgi.cgi file within the CGI Handler component, where manipulation of the "merge" argument enables injection of arbitrary operating system commands.

The vulnerability is remotely exploitable over the network with low complexity, requiring no privileges or user interaction, as reflected in its CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Any unauthenticated remote attacker can execute arbitrary commands on the device, achieving high impacts on confidentiality, integrity, and availability, potentially leading to full router compromise.

VulDB advisories document the flaw, including a public exploit release on GitHub at https://github.com/Litengzheng/vuldb_new2/blob/main/A8000RU/vul_328/README.md, with additional details at https://vuldb.com/vuln/359851 and related pages. Security practitioners should monitor the vendor site https://www.totolink.net/ for firmware updates or mitigation guidance.

The exploit's public availability increases the risk of real-world attacks against unpatched Totolink A8000RU devices.

Details

CWE(s)
CWE-77CWE-78

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.008 Network Device CLI Execution
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
attack.mitre.org →
Why these techniques?

Unauthenticated remote OS command injection via public-facing web CGI on router directly enables T1190 (Exploit Public-Facing Application) for initial access and T1059.008 (Network Device CLI) for arbitrary command execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References