Skip to content
CVSS 9.8 · CRITICAL

CVE-2026-7037

A security flaw has been discovered in Totolink A8000RU 7.1cu.643_b20200521. This issue affects the function setVpnPassCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument pptpPassThru results in os command injection. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks.

Ver en NVD

Análisis

This vulnerability involves remote command injection in the firmware of a Totolink A8000RU router. Although the severity is critical and an exploit is public, this specific brand of consumer networking hardware is not widely used within the professional software development or server operations ecosystem of this community.

Severidad

Puntaje: 9.8(CRITICAL)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AV: NETWORK
AC: LOW
PR: NONE
UI: NONE
S: UNCHANGED
C: HIGH
I: HIGH
A: HIGH
Tipo de falla (CWE): CWE-77CWE-78

EPSS

Probabilidad de explotación (próx. 30 días): 0.0125 (1.3%)
Percentil: 79.5%
EPSS: 2026-05-06

Descripción técnica

A security flaw has been discovered in Totolink A8000RU 7.1cu.643_b20200521. This issue affects the function setVpnPassCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument pptpPassThru results in os command injection. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks.

Publicada: 26/4/2026, 12:16:23
Última modificación: 27/4/2026, 18:50:06

Referencias

InicioEventosBlogRecursosEquipo