Totolink A8000RU Critical Command Injection (CVE-2026-7122)
A critical vulnerability, tracked as CVE-2026-7122, has been identified in Totolink A8000RU devices running firmware version 7.1cu.643_b20200521. The National Vulnerability Database reports this flaw resides within the setUPnPCfg function of the /cgi-bin/cstecgi.cgi file, specifically impacting the CGI Handler component. Attackers can exploit this via manipulation of the enable argument, leading to remote OS command injection.
This is not a theoretical vulnerability; the exploit has been publicly disclosed. Given the CVSSv3.1 score of 9.8 (Critical), this remote command injection allows unauthenticated attackers to execute arbitrary commands on affected Totolink A8000RU routers. The implications are severe, granting full control over the device and potentially enabling lateral movement into internal networks.
Defenders must recognize that exposed network infrastructure, especially routers, are prime targets. A critical remote OS command injection is a gift to attackers, providing an immediate foothold. Organizations utilizing Totolink A8000RU devices must prioritize patching or isolating these devices immediately. Until a patch is available, consider restricting network access to these devices to trusted internal segments only, or remove them from service if possible.
What This Means For You
- If your organization uses Totolink A8000RU routers, specifically firmware version 7.1cu.643_b20200521, you are exposed to remote OS command injection. Immediately identify and isolate these devices. There is a public exploit, meaning attackers are actively looking for these. Patching is the only real solution; until then, physically or logically disconnect them from any critical network segments.
Related ATT&CK Techniques
🛡️ Detection Rules
2 rules · 6 SIEM formats2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-7122 - Totolink A8000RU CGI Handler Command Injection
title: CVE-2026-7122 - Totolink A8000RU CGI Handler Command Injection
id: scw-2026-04-27-ai-1
status: experimental
level: critical
description: |
Detects attempts to exploit CVE-2026-7122 in Totolink A8000RU devices. The vulnerability lies in the setUPnPCfg function within cgi-bin/cstecgi.cgi, where manipulation of the 'enable' argument allows for OS command injection. This rule specifically looks for the vulnerable URI path and the presence of 'setUPnPCfg&enable=' in the query string, indicating a potential exploit attempt.
author: SCW Feed Engine (AI-generated)
date: 2026-04-27
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-7122/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri:
- '/cgi-bin/cstecgi.cgi'
cs-uri-query|contains:
- 'setUPnPCfg&enable='
cs-method:
- 'GET'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-7122 | Command Injection | Totolink A8000RU version 7.1cu.643_b20200521 |
| CVE-2026-7122 | Command Injection | Vulnerable function: setUPnPCfg in /cgi-bin/cstecgi.cgi |
| CVE-2026-7122 | Command Injection | Vulnerable argument: enable |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 27, 2026 at 15:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
Totolink A8000RU Critical OS Command Injection (CVE-2026-7125)
CVE-2026-7125 — A vulnerability was identified in Totolink A8000RU 7.1cu.643_b20200521. Affected by this issue is the function setWiFiEasyCfg of the file /cgi-bin/cstecgi.cgi of the component...
CVE-2026-7124: Critical OS Command Injection in Totolink A8000RU Routers
CVE-2026-7124 — A vulnerability was determined in Totolink A8000RU 7.1cu.643_b20200521. Affected by this vulnerability is the function setIpv6LanCfg of the file /cgi-bin/cstecgi.cgi of the component...
CVE-2026-7123: Critical Command Injection in Totolink Routers Exposes Networks
CVE-2026-7123 — A vulnerability was found in Totolink A8000RU 7.1cu.643_b20200521. Affected is the function setIptvCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Performing...