🚨 BREAKING

CVE-2026-7037: Totolink A8000RU Critical OS Command Injection

/CRITICAL /CVSS 9.8/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvecriticalhigh-severitycommand-injectioncwe-77cwe-78
CVE-2026-7037: Totolink A8000RU Critical OS Command Injection

The National Vulnerability Database has disclosed a critical OS command injection vulnerability, CVE-2026-7037, impacting Totolink A8000RU routers, specifically firmware version 7.1cu.643_b20200521. This flaw resides within the setVpnPassCfg function of the /cgi-bin/cstecgi.cgi component, where improper handling of the pptpPassThru argument allows for arbitrary OS command execution.

Rated with a CVSS score of 9.8 (CRITICAL), this vulnerability is remotely exploitable without authentication (AV:N/AC:L/PR:N/UI:N). The attacker’s calculus here is straightforward: gain full system control on an exposed edge device, likely as a stepping stone into internal networks or to establish persistent access for botnet operations. The public release of an exploit dramatically escalates the immediate risk.

This is a severe issue for any organization or individual still running the affected Totolink A8000RU model. Unauthenticated remote command injection on an internet-facing device is a gift for attackers. It bypasses perimeter defenses and grants deep access, making these routers prime targets for initial access brokers and nation-state actors alike.

What This Means For You

  • If your organization uses Totolink A8000RU routers, especially version 7.1cu.643_b20200521, you must immediately identify and isolate these devices. Given the public exploit, assume compromise if unpatched and internet-facing. Replace or reconfigure affected routers to eliminate internet exposure until a patch is available. There is no time to waste on this one.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1059.004 Command and Scripting Interpreter: Unix Shell Execution

🛡️ Detection Rules

2 rules · 6 SIEM formats

2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

CVE-2026-7037: Totolink A8000RU OS Command Injection via pptpPassThru

Sigma YAML — free preview 
title: CVE-2026-7037: Totolink A8000RU OS Command Injection via pptpPassThru
id: scw-2026-04-26-ai-1
status: experimental
level: critical
description: |
  Detects the specific OS command injection vulnerability in Totolink A8000RU (CVE-2026-7037) by looking for requests to '/cgi-bin/cstecgi.cgi' with the 'setVpnPassCfg' function and the 'pptpPassThru' parameter containing a 'cmd=' argument, indicating an attempt to inject OS commands.
author: SCW Feed Engine (AI-generated)
date: 2026-04-26
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-7037/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/cgi-bin/cstecgi.cgi'
      cs-uri-query|contains:
          - 'setVpnPassCfg'
      cs-uri-query|contains:
          - 'pptpPassThru='
      cs-uri-query|contains:
          - 'cmd='
  condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-7037 Command Injection Totolink A8000RU 7.1cu.643_b20200521
CVE-2026-7037 Command Injection Vulnerable function: setVpnPassCfg
CVE-2026-7037 Command Injection Vulnerable file: /cgi-bin/cstecgi.cgi
CVE-2026-7037 Command Injection Vulnerable argument: pptpPassThru

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedApril 26, 2026 at 15:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-7039: tufantunc ssh-mcp Local Command Injection Exposed

CVE-2026-7039 — A security vulnerability has been detected in tufantunc ssh-mcp up to 1.5.0. The affected element is the function shell.write of the file src/index.ts....

vulnerabilityCVEhigh-severitycommand-injectioncwe-74cwe-77
/SCW Vulnerability Desk /HIGH /7.8 /⚑ 3 IOCs /⚙ 3 Sigma

Tenda i9 Path Traversal (CVE-2026-7036) Exposes Networks to Remote Exploitation

CVE-2026-7036 — A vulnerability was identified in Tenda i9 1.0.0.5(2204). This vulnerability affects the function R7WebsSecurityHandlerfunction of the component HTTP Handler. The manipulation leads to...

vulnerabilityCVEhigh-severitypath-traversalcwe-22
/SCW Vulnerability Desk /HIGH /7.3 /⚑ 3 IOCs /⚙ 2 Sigma

Tenda FH1202 Router Vulnerability (CVE-2026-7035) Exposes Networks

CVE-2026-7035 — A vulnerability was determined in Tenda FH1202 1.2.0.14. This affects the function fromWrlclientSet of the file /goform/WrlclientSet of the component httpd. Executing a...

vulnerabilityCVEhigh-severitybuffer-overflowcwe-119cwe-121
/SCW Vulnerability Desk /HIGH /8.8 /⚑ 5 IOCs /⚙ 5 Sigma