CVE-2026-7153
Deferred Deferred - Pending Action
Remote OS Command Injection in Totolink A8000RU CGI Handler

Publication date: 2026-04-27

Last updated on: 2026-04-27

Assigner: VulDB

Description
A security flaw has been discovered in Totolink A8000RU 7.1cu.643_b20200521. The impacted element is the function setMiniuiHomeInfoShow of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Performing a manipulation of the argument sys_info results in os command injection. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-27
Last Modified
2026-04-27
Generated
2026-06-16
AI Q&A
2026-04-27
EPSS Evaluated
2026-06-14
NVD
CVE-2026-7153
EUVD
EUVD-2026-25915
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
totolink a8000ru 7.1cu.643_b20200521
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

This vulnerability can be detected by sending a crafted HTTP POST request to the vulnerable router's CGI interface at /cgi-bin/cstecgi.cgi with the parameter sys_info containing a command to verify command injection.

For example, a proof of concept uses the command `ls>./setMiniuiHomeInfoShow.txt` to check if the router executes arbitrary commands.

A detection command could be a curl command like the following:

  • curl -X POST http://[router_ip]/cgi-bin/cstecgi.cgi -d "sys_info=ls>./setMiniuiHomeInfoShow.txt"

After running this command, checking the router's file system for the presence of the file setMiniuiHomeInfoShow.txt indicates successful command execution and confirms the vulnerability.

Compliance Impact

The CVE-2026-7153 vulnerability allows remote attackers to execute arbitrary operating system commands on the TOTOLINK A8000RU router. This type of vulnerability can lead to unauthorized access, data breaches, and potential compromise of sensitive information.

Such security flaws can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require the protection of personal and sensitive data against unauthorized access and breaches.

If exploited, this vulnerability could result in exposure or manipulation of protected data, thereby violating requirements for data confidentiality, integrity, and security mandated by these regulations.

Mitigation Strategies

To mitigate the CVE-2026-7153 vulnerability, immediate steps include restricting remote access to the affected CGI interface (/cgi-bin/cstecgi.cgi) to trusted networks only.

Additionally, monitor network traffic for suspicious POST requests containing the 'sys_info' parameter, which could indicate exploitation attempts.

If possible, apply any available firmware updates or patches from the vendor that address this command injection flaw.

As a temporary workaround, consider disabling or restricting the vulnerable function or service until a fix is applied.

Executive Summary

CVE-2026-7153 is a command injection vulnerability in the TOTOLINK A8000RU router, version 7.1cu.643_b20200521. It exists in the CGI Handler component, specifically in the function setMiniuiHomeInfoShow within the /cgi-bin/cstecgi.cgi file. The vulnerability occurs because a user-supplied parameter named "sys_info" is improperly handled and inserted into a buffer that is then executed as an operating system command. This allows a remote attacker to execute arbitrary OS commands on the router by sending specially crafted HTTP POST requests.

Impact Analysis

This vulnerability allows remote attackers to execute arbitrary operating system commands on the affected router without any authentication. This can lead to full compromise of the device, including unauthorized access, data theft, manipulation of router settings, disruption of network services, or using the router as a foothold to attack other devices on the network.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7153. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart