Skip to content
CVSS 9.8 · CRITICAL

CVE-2026-7137

A security vulnerability has been detected in Totolink A8000RU 7.1cu.643_b20200521. This affects the function setStorageCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument sambaEnabled leads to os command injection. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used.

View on NVD

Analysis

This is an OS command injection vulnerability in the firmware of a specific Totolink router model. It is vendor-specific consumer hardware that is not part of the standard web, mobile, or backend developer stack. The impact is limited to the user base of this specific IoT device.

Severity

Score: 9.8(CRITICAL)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AV: NETWORK
AC: LOW
PR: NONE
UI: NONE
S: UNCHANGED
C: HIGH
I: HIGH
A: HIGH
Weakness (CWE): CWE-77CWE-78

EPSS

Probability of exploitation (next 30 days): 0.0125 (1.3%)
Percentile: 79.5%
EPSS: 2026-05-06

Technical description

A security vulnerability has been detected in Totolink A8000RU 7.1cu.643_b20200521. This affects the function setStorageCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument sambaEnabled leads to os command injection. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used.

Published: 4/27/2026, 4:16:47 PM
Last modified: 4/27/2026, 6:35:53 PM

References

HomeEventsBlogResourcesTeam