CVE-2026-7153
Remote OS Command Injection in Totolink A8000RU CGI Handler
Publication date: 2026-04-27
Last updated on: 2026-04-27
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| totolink | a8000ru | 7.1cu.643_b20200521 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-7153 is a command injection vulnerability in the TOTOLINK A8000RU router, version 7.1cu.643_b20200521. It exists in the CGI Handler component, specifically in the function setMiniuiHomeInfoShow within the /cgi-bin/cstecgi.cgi file. The vulnerability occurs because a user-supplied parameter named "sys_info" is improperly handled and inserted into a buffer that is then executed as an operating system command. This allows a remote attacker to execute arbitrary OS commands on the router by sending specially crafted HTTP POST requests.
How can this vulnerability impact me? :
This vulnerability allows remote attackers to execute arbitrary operating system commands on the affected router without any authentication. This can lead to full compromise of the device, including unauthorized access, data theft, manipulation of router settings, disruption of network services, or using the router as a foothold to attack other devices on the network.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The CVE-2026-7153 vulnerability allows remote attackers to execute arbitrary operating system commands on the TOTOLINK A8000RU router. This type of vulnerability can lead to unauthorized access, data breaches, and potential compromise of sensitive information.
Such security flaws can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require the protection of personal and sensitive data against unauthorized access and breaches.
If exploited, this vulnerability could result in exposure or manipulation of protected data, thereby violating requirements for data confidentiality, integrity, and security mandated by these regulations.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the CVE-2026-7153 vulnerability, immediate steps include restricting remote access to the affected CGI interface (/cgi-bin/cstecgi.cgi) to trusted networks only.
Additionally, monitor network traffic for suspicious POST requests containing the 'sys_info' parameter, which could indicate exploitation attempts.
If possible, apply any available firmware updates or patches from the vendor that address this command injection flaw.
As a temporary workaround, consider disabling or restricting the vulnerable function or service until a fix is applied.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending a crafted HTTP POST request to the vulnerable router's CGI interface at /cgi-bin/cstecgi.cgi with the parameter sys_info containing a command to verify command injection.
For example, a proof of concept uses the command `ls>./setMiniuiHomeInfoShow.txt` to check if the router executes arbitrary commands.
A detection command could be a curl command like the following:
- curl -X POST http://[router_ip]/cgi-bin/cstecgi.cgi -d "sys_info=ls>./setMiniuiHomeInfoShow.txt"
After running this command, checking the router's file system for the presence of the file setMiniuiHomeInfoShow.txt indicates successful command execution and confirms the vulnerability.