CVE-2026-7156
Totolink · A8000RU
The Totolink A8000RU CGI handler contains an OS command injection vulnerability in the CsteSystem function reachable via remote HTTP requests.
Executive summary
A critical OS command injection vulnerability in the Totolink A8000RU allows remote, unauthenticated attackers to execute arbitrary system commands.
Vulnerability
The vulnerability exists within the CsteSystem function of the /cgi-bin/cstecgi.cgi component. An attacker can manipulate the HTTP argument to inject and execute arbitrary operating system commands with elevated privileges.
Business impact
With a CVSS score of 9.8, this vulnerability poses a severe threat to network integrity. An attacker can gain full remote control of the device, which may be used as a pivot point for further lateral movement within the internal network, resulting in total data exposure and persistent unauthorized access.
Remediation
Immediate Action: Disconnect the affected device from the internet and check the vendor website for the latest firmware update to patch the CGI handler.
Proactive Monitoring: Monitor network traffic for unusual HTTP POST requests directed at /cgi-bin/cstecgi.cgi and inspect device logs for evidence of command execution.
Compensating Controls: Restrict access to the device management interface to trusted internal IP addresses only, and utilize a WAF to inspect and block malicious payload patterns in CGI parameters.
Exploitation status
Public Exploit Available: Yes
Analyst recommendation
Given the availability of public exploits and the critical nature of command injection, this device must be secured immediately. If a patch is unavailable, the device should be isolated from external networks to prevent exploitation.