CVE-2026-7202
OS Command Injection in Totolink A8000RU CGI Handler (Remote
Publication date: 2026-04-28
Last updated on: 2026-04-28
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| totolink | a8000ru | 7.1cu.643_b20200521 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-7202 is a command injection vulnerability in the TOTOLINK A8000RU router, version 7.1cu.643_b20200521. It exists in the CGI Handler component, specifically in the function setWiFiWpsStart within the /cgi-bin/cstecgi.cgi file. The vulnerability arises from improper handling of the user-supplied parameter "wscDisabled", which is concatenated and passed through several functions before being executed as an operating system command. This allows a remote attacker to execute arbitrary OS commands on the affected device.
A proof of concept shows that by sending a crafted HTTP POST request with the "wscDisabled" parameter set to a command like `ls>./setWiFiWpsStart.txt`, the router executes this command, creating a file with the directory listing. This confirms the ability to run arbitrary commands remotely.
How can this vulnerability impact me? :
This vulnerability allows remote attackers to execute arbitrary operating system commands on the affected TOTOLINK A8000RU router without any authentication. This can lead to full compromise of the device, including unauthorized access, data theft, device manipulation, or using the device as a foothold for further attacks within the network.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending a crafted HTTP POST request to the endpoint /cgi-bin/cstecgi.cgi with the parameter wscDisabled set to a command that produces a detectable effect on the device.
For example, a proof of concept uses the command `ls>./setWiFiWpsStart.txt` to check if the router executes arbitrary commands. If successful, a file named setWiFiWpsStart.txt will be created containing the directory listing.
A sample command to test this could be using curl as follows:
- curl -X POST http://[router_ip]/cgi-bin/cstecgi.cgi -d "wscDisabled=ls>./setWiFiWpsStart.txt"
After running this command, checking the router's filesystem for the presence of setWiFiWpsStart.txt confirms exploitation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows remote attackers to execute arbitrary operating system commands on the affected TOTOLINK A8000RU router. This could lead to unauthorized access, data breaches, or manipulation of sensitive information.
Such security weaknesses can impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and breaches.
If exploited, this vulnerability could result in violations of these regulations due to potential exposure or compromise of protected data handled by the device or network.