CVE-2026-7037
Received Received - Intake
OS Command Injection in Totolink A8000RU CGI Handler Allows Remote Exploits

Publication date: 2026-04-26

Last updated on: 2026-04-26

Assigner: VulDB

Description
A security flaw has been discovered in Totolink A8000RU 7.1cu.643_b20200521. This issue affects the function setVpnPassCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument pptpPassThru results in os command injection. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-26
Last Modified
2026-04-26
Generated
2026-06-16
AI Q&A
2026-04-26
EPSS Evaluated
2026-06-15
NVD
CVE-2026-7037
EUVD
EUVD-2026-25713
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
totolink a8000ru 7.1cu.643_b20200521
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-7037 is a command injection vulnerability in the TOTOLINK A8000RU router, version 7.1cu.643_b20200521. It exists in the CGI script /cgi-bin/cstecgi.cgi, specifically in the function setVpnPassCfg that processes the pptpPassThru parameter.

Due to insufficient input sanitization, an attacker can inject arbitrary operating system commands through the pptpPassThru parameter. When a specially crafted HTTP POST request is sent to the vulnerable CGI endpoint with malicious input, the router executes the injected commands on the device.

A proof of concept shows that an attacker can execute commands like listing directory contents and writing them to a file on the device, confirming remote command execution capability.

Impact Analysis

This vulnerability allows an attacker to remotely execute arbitrary operating system commands on the affected TOTOLINK A8000RU router without any authentication.

  • An attacker could take full control of the device.
  • They could manipulate router configurations, intercept or redirect network traffic, or use the device as a foothold for further attacks within the network.
  • This could lead to data breaches, network downtime, or compromise of connected systems.
Detection Guidance

This vulnerability can be detected by sending a crafted HTTP POST request to the endpoint /cgi-bin/cstecgi.cgi with the parameter pptpPassThru containing a command injection payload.

For example, a proof of concept uses the command `ls>./setVpnPassCfg.txt` as the value of pptpPassThru. If the router executes this command, it will create a file named setVpnPassCfg.txt containing the directory listing, confirming the vulnerability.

  • Send a POST request to http://[router_ip]/cgi-bin/cstecgi.cgi with pptpPassThru=ls>./setVpnPassCfg.txt
  • Check if the file setVpnPassCfg.txt is created on the device, indicating successful command execution.
Compliance Impact

The CVE-2026-7037 vulnerability allows remote attackers to execute arbitrary OS commands on the TOTOLINK A8000RU router due to insufficient input sanitization in the setVpnPassCfg function. This type of command injection can lead to unauthorized access, data breaches, and potential compromise of sensitive information.

Such security flaws can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require the protection of personal and sensitive data against unauthorized access and breaches. Exploitation of this vulnerability could result in violations of these regulations due to potential data exposure or system compromise.

Mitigation Strategies

To mitigate the CVE-2026-7037 vulnerability in the TOTOLINK A8000RU router, immediate steps include restricting remote access to the affected CGI endpoint (/cgi-bin/cstecgi.cgi) to prevent exploitation.

Additionally, monitor network traffic for suspicious POST requests containing the pptpPassThru parameter, as this is the vector for command injection.

If possible, disable or restrict the VPN passthrough feature until a patch or update is available from the vendor.

Finally, apply any available firmware updates or patches provided by TOTOLINK addressing this vulnerability as soon as they are released.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7037. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart