Totolink A8000RU Critical OS Command Injection (CVE-2026-7125)

/CRITICAL /CVSS 9.8/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvecriticalhigh-severitycommand-injectioncwe-77cwe-78
Totolink A8000RU Critical OS Command Injection (CVE-2026-7125)

The National Vulnerability Database has disclosed CVE-2026-7125, a critical OS command injection vulnerability impacting Totolink A8000RU routers, specifically version 7.1cu.643_b20200521. This flaw resides within the setWiFiEasyCfg function of the /cgi-bin/cstecgi.cgi component, where improper handling of the merge argument allows for arbitrary command execution.

Rated with a CVSSv3.1 score of 9.8 (CRITICAL), this vulnerability is remotely exploitable without authentication (AV:N/AC:L/PR:N/UI:N). The National Vulnerability Database confirms that a public exploit is available, significantly increasing the immediate risk. This means attackers can leverage this flaw with minimal effort to gain full control over affected devices.

The implications for defenders are severe. An unauthenticated, remote command injection on a network edge device like a router grants attackers deep access into the internal network. They can pivot, establish persistence, exfiltrate data, or deploy further malware. The public availability of exploit code drastically lowers the barrier for entry for malicious actors, from opportunistic attackers to more sophisticated adversaries.

What This Means For You

  • If your organization or home office relies on Totolink A8000RU routers, especially version 7.1cu.643_b20200521, you are immediately exposed to critical risk. Identify all instances of this device, isolate them from critical networks if possible, and aggressively monitor for any vendor-issued patches or mitigation guidance. Assume compromise if these devices are internet-facing and unpatched.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1059.004 Command and Scripting Interpreter: Unix Shell Execution

🛡️ Detection Rules

2 rules · 6 SIEM formats

2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

CVE-2026-7125 - Totolink A8000RU OS Command Injection via setWiFiEasyCfg

Sigma YAML — free preview 
title: CVE-2026-7125 - Totolink A8000RU OS Command Injection via setWiFiEasyCfg
id: scw-2026-04-27-ai-1
status: experimental
level: critical
description: |
  Detects attempts to exploit CVE-2026-7125 in Totolink A8000RU devices. The vulnerability allows OS command injection through the setWiFiEasyCfg function in cgi-bin/cstecgi.cgi when the 'merge' argument is manipulated. This rule specifically looks for the vulnerable CGI script, the function name, the 'merge' parameter, and a common indicator of command injection (backticks).
author: SCW Feed Engine (AI-generated)
date: 2026-04-27
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-7125/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/cgi-bin/cstecgi.cgi'
      cs-uri-query|contains:
          - 'setWiFiEasyCfg'
      cs-uri-query|contains:
          - 'merge='
  selection_command_injection:
      cs-uri-query|contains:
          - '`'
      condition: selection AND selection_command_injection
  condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-7125 Command Injection Totolink A8000RU 7.1cu.643_b20200521
CVE-2026-7125 Command Injection Vulnerable function: setWiFiEasyCfg
CVE-2026-7125 Command Injection Vulnerable file: /cgi-bin/cstecgi.cgi
CVE-2026-7125 Command Injection Vulnerable component: CGI Handler
CVE-2026-7125 Command Injection Vulnerable argument: merge

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedApril 27, 2026 at 16:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-7130: Critical SQL Injection Flaw in Pharmacy System

CVE-2026-7130 — A flaw has been found in SourceCodester Pharmacy Sales and Inventory System 1.0. The affected element is an unknown function of the file...

vulnerabilityCVEhigh-severitysql-injectioncwe-74cwe-89
/SCW Vulnerability Desk /HIGH /7.3 /⚑ 1 IOC /⚙ 3 Sigma

CVE-2026-7129 — SourceCodester Pharmacy Sales And Inventory System Vulnerability

CVE-2026-7129 — A vulnerability was detected in SourceCodester Pharmacy Sales and Inventory System 1.0. Impacted is an unknown function of the file /index.php?page=categories. Performing a...

vulnerabilityCVEmedium-severitycwe-79cwe-94
/SCW Vulnerability Desk /MEDIUM /4.3 /⚑ 3 IOCs /⚙ 3 Sigma

CVE-2026-7128: SQL Injection in SourceCodester Pharmacy System

CVE-2026-7128 — A security vulnerability has been detected in SourceCodester Pharmacy Sales and Inventory System 1.0. This issue affects some unknown processing of the file...

vulnerabilityCVEhigh-severitysql-injectioncwe-74cwe-89
/SCW Vulnerability Desk /HIGH /7.3 /⚑ 3 IOCs /⚙ 3 Sigma