CVE-2026-7125
OS Command Injection in Totolink A8000RU CGI Handler
Publication date: 2026-04-27
Last updated on: 2026-04-27
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| totolink | a8000ru | 7.1cu.643_b20200521 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-7125 is a command injection vulnerability in the TOTOLINK A8000RU router, version 7.1cu.643_b20200521. It exists in the CGI Handler component, specifically in the setWiFiEasyCfg function of the /cgi-bin/cstecgi.cgi file. The vulnerability arises because the user-supplied parameter "merge" is not properly sanitized before being passed to system command execution functions. This allows a remote attacker to execute arbitrary operating system commands by sending specially crafted requests to the router.
A proof of concept shows that by setting the "merge" parameter to a command like `ls>./setWiFiEasyCfg.txt` in a POST request, the router executes this command, confirming remote code execution capability.
How can this vulnerability impact me? :
This vulnerability can have severe impacts as it allows remote attackers to execute arbitrary commands on the affected router without any authentication or user interaction.
- Attackers can gain control over the router, potentially altering its configuration or using it as a foothold to access other devices on the network.
- Sensitive information stored or transmitted by the router could be exposed or manipulated.
- The router could be used to launch further attacks, such as network reconnaissance or denial of service.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending a crafted POST request to the /cgi-bin/cstecgi.cgi endpoint with the parameter "merge" containing a command to be executed on the device.
For example, a proof of concept uses the command: ls>./setWiFiEasyCfg.txt which, if successful, creates a text file on the device containing the directory listing.
A sample curl command to test this would be:
- curl -X POST http://[router_ip]/cgi-bin/cstecgi.cgi -d "merge=ls>./setWiFiEasyCfg.txt"
If the file setWiFiEasyCfg.txt is created on the device, it confirms the presence of the vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows remote attackers to execute arbitrary operating system commands on the affected TOTOLINK A8000RU router. This remote code execution flaw can lead to unauthorized access, data manipulation, or disruption of services.
Such unauthorized access and control over network devices can compromise the confidentiality, integrity, and availability of data, potentially violating requirements set by common standards and regulations like GDPR and HIPAA that mandate protection of personal and sensitive information.
Therefore, if exploited, this vulnerability could lead to non-compliance with these regulations due to failure to adequately secure network infrastructure and protect data from unauthorized access or alteration.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the CVE-2026-7125 vulnerability in the TOTOLINK A8000RU router, immediate steps include restricting remote access to the affected /cgi-bin/cstecgi.cgi endpoint to prevent exploitation.
Additionally, disabling or limiting the use of the vulnerable setWiFiEasyCfg function or the CGI Handler component can reduce risk.
Applying any available firmware updates or patches from the vendor that address this command injection flaw is strongly recommended.
If patches are not available, consider isolating the device from untrusted networks and monitoring for suspicious activity related to the 'merge' parameter in requests.