Skip to content
CVSS 9.8 · CRITICAL

CVE-2026-7122

A vulnerability has been found in Totolink A8000RU 7.1cu.643_b20200521. This impacts the function setUPnPCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Such manipulation of the argument enable leads to os command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

View on NVD

Analysis

This vulnerability affects the Totolink A8000RU router firmware, allowing for remote OS command injection. It is a vendor-specific bug in SOHO networking hardware that is not commonly used in professional development environments or standard server infrastructure. The impact is limited to users of this specific device and does not warrant broad community attention.

Severity

Score: 9.8(CRITICAL)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AV: NETWORK
AC: LOW
PR: NONE
UI: NONE
S: UNCHANGED
C: HIGH
I: HIGH
A: HIGH
Weakness (CWE): CWE-77CWE-78

EPSS

Probability of exploitation (next 30 days): 0.0125 (1.3%)
Percentile: 79.5%
EPSS: 2026-05-06

Technical description

A vulnerability has been found in Totolink A8000RU 7.1cu.643_b20200521. This impacts the function setUPnPCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Such manipulation of the argument enable leads to os command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

Published: 4/27/2026, 12:16:26 PM
Last modified: 4/27/2026, 6:36:42 PM

References

HomeEventsBlogResourcesTeam