A remote OS command injection vulnerability exists in the Totolink A8000RU router via the pptpPassThru argument in the setVpnPassCfg function.
Description
A remote OS command injection vulnerability exists in the Totolink A8000RU router via the pptpPassThru argument in the setVpnPassCfg function.
AI Analyst Comment
Remediation
Update Unknown Multiple Products to the latest version. Monitor for exploitation attempts and review access logs.
---METADATA---
VENDOR: Totolink
PRODUCT: A8000RU
AFFECTED_VERSIONS: 7.1cu.643_b20200521
---END_METADATA---
Description Summary:
A remote OS command injection vulnerability exists in the Totolink A8000RU router via the pptpPassThru argument in the setVpnPassCfg function.
Executive Summary:
An unauthenticated OS command injection vulnerability in the Totolink A8000RU router allows remote attackers to execute arbitrary system commands, posing a critical risk of total device compromise.
Vulnerability Details
CVE-ID: CVE-2026-7037
Affected Software: Totolink A8000RU
Affected Versions: 7.1cu.643_b20200521
Vulnerability: This is an OS command injection flaw within the
setVpnPassCfgfunction of the/cgi-bin/cstecgi.cgicomponent. Attackers can reach this endpoint without authentication to inject malicious commands that run with system-level privileges.Business Impact
The CVSS score of 9.8 reflects the ease of exploitation and the severity of the impact. Successful exploitation grants an attacker full control over the network device, which can be used to intercept sensitive traffic, pivot into internal network segments, or deploy persistent malware, leading to severe data breaches and operational downtime.
Remediation Plan
Immediate Action: Disconnect the affected device from the internet or restrict access to the management interface to trusted IP addresses only until a firmware patch is applied.
Proactive Monitoring: Inspect system logs for unusual command executions or attempts to access the
cstecgi.cgifile from unauthorized external IP addresses.Compensating Controls: Deploy a Web Application Firewall (WAF) or intrusion prevention system (IPS) configured to block malicious patterns targeting CGI scripts and command injection sequences.
Exploitation Status
Public Exploit Available: true
Analyst Notes: As of April 26, 2026, public exploit code is available for this vulnerability. Given the ease of remote execution and the availability of proof-of-concept material, the likelihood of active exploitation is extremely high.
Analyst Recommendation
This vulnerability represents a critical threat to network integrity. Organizations using the Totolink A8000RU should prioritize immediate isolation of the device. If an official firmware update is unavailable, ensure the device is not accessible from the public internet and evaluate replacement options if the vendor does not provide a timely fix.