CVE-2026-7156

Totolink · A8000RU

The Totolink A8000RU CGI handler contains an OS command injection vulnerability in the CsteSystem function reachable via remote HTTP requests.

Executive summary

A critical OS command injection vulnerability in the Totolink A8000RU allows remote, unauthenticated attackers to execute arbitrary system commands.

Vulnerability

The vulnerability exists within the CsteSystem function of the /cgi-bin/cstecgi.cgi component. An attacker can manipulate the HTTP argument to inject and execute arbitrary operating system commands with elevated privileges.

Business impact

With a CVSS score of 9.8, this vulnerability poses a severe threat to network integrity. An attacker can gain full remote control of the device, which may be used as a pivot point for further lateral movement within the internal network, resulting in total data exposure and persistent unauthorized access.

Remediation

Immediate Action: Disconnect the affected device from the internet and check the vendor website for the latest firmware update to patch the CGI handler.

Proactive Monitoring: Monitor network traffic for unusual HTTP POST requests directed at /cgi-bin/cstecgi.cgi and inspect device logs for evidence of command execution.

Compensating Controls: Restrict access to the device management interface to trusted internal IP addresses only, and utilize a WAF to inspect and block malicious payload patterns in CGI parameters.

Exploitation status

Public Exploit Available: Yes

Analyst recommendation

Given the availability of public exploits and the critical nature of command injection, this device must be secured immediately. If a patch is unavailable, the device should be isolated from external networks to prevent exploitation.