CVE-2026-7538

Critical

Published: 01 May 2026

Published

01 May 2026

Modified

01 May 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0125 79.5th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability was identified in Totolink A8000RU 7.1cu.643_b20200521. This issue affects the function Vulnerability of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument proto leads to os command injection. The attack may be initiated remotely.…

The exploit is publicly available and might be used.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents OS command injection vulnerability by validating the manipulated 'proto' argument in the CGI handler.

SI-2 Flaw Remediation good match

preventrecover

Mandates timely flaw remediation through firmware updates addressing the specific command injection in Totolink A8000RU 7.1cu.643_b20200521.

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations to block unauthenticated remote access to the vulnerable /cgi-bin/cstecgi.cgi endpoint.

Security SummaryAI

CVE-2026-7538 is an OS command injection vulnerability (CWE-77, CWE-78) affecting the Totolink A8000RU router running firmware version 7.1cu.643_b20200521. The issue resides in the CGI Handler component, specifically the /cgi-bin/cstecgi.cgi file, where manipulation of the "proto" argument enables arbitrary command execution. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for complete system compromise.

The vulnerability is exploitable remotely by unauthenticated attackers with network access, requiring low complexity and no user interaction. Successful exploitation allows attackers to execute arbitrary operating system commands, potentially leading to full control over the device, including data theft, modification of configurations, or disruption of network services.

Advisories and details are documented on VulDB (vuln/360354 and related pages) and a GitHub repository containing a publicly available exploit at https://github.com/Litengzheng/vuldb_new2/blob/main/A8000RU/vul_329/README.md. The Totolink vendor website (https://www.totolink.net/) provides general support resources, though specific patch information for this firmware version is referenced in the linked submissions. Security practitioners should verify and apply any available firmware updates promptly.

Details

CWE(s): CWE-77 CWE-78

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.008 Network Device CLI Execution

Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.

attack.mitre.org →

Why these techniques?

CVE-2026-7538 is a command injection vulnerability in a public-facing CGI handler on a router web interface, directly enabling exploitation of public-facing applications (T1190) and arbitrary OS command execution equivalent to abusing network device CLI (T1059.008).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/Litengzheng/vuldb_new2/blob/main/A8000RU/vul_329/README.md
cna@vuldb.com
https://vuldb.com/submit/804321
cna@vuldb.com
https://vuldb.com/vuln/360354
cna@vuldb.com
https://vuldb.com/vuln/360354/cti
cna@vuldb.com
https://www.totolink.net/
cna@vuldb.com