🚨 BREAKING

Totolink A8000RU Critical Command Injection Flaw (CVE-2026-7136)

/CRITICAL /CVSS 9.8/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvecriticalhigh-severitycommand-injectioncwe-77cwe-78
Totolink A8000RU Critical Command Injection Flaw (CVE-2026-7136)

The National Vulnerability Database has disclosed CVE-2026-7136, a critical command injection vulnerability affecting Totolink A8000RU routers running firmware version 7.1cu.643_b20200521. This flaw resides within the CGI Handler component, specifically in the setDmzCfg function of the /cgi-bin/cstecgi.cgi file. Attackers can exploit this by manipulating the ‘wanIdx’ argument to inject operating system commands, potentially leading to full system compromise. The National Vulnerability Database notes that this vulnerability is remotely exploitable and a public exploit is available, increasing the immediate risk.

This vulnerability carries a CVSS score of 9.8 (CRITICAL), underscoring its severity. The CWE classifications (CWE-77, CWE-78) directly point to OS command injection. Given the wide deployment of home and small office routers, this presents a significant threat vector. Attackers can leverage this to take control of affected devices, pivot into internal networks, or use them as part of a botnet.

Defenders must prioritize patching or replacing affected Totolink A8000RU devices immediately. For organizations unable to patch, network segmentation and disabling remote management interfaces are crucial mitigation steps. Network monitoring should be enhanced to detect unusual outbound traffic or command execution patterns originating from these devices.

What This Means For You

  • If your organization uses Totolink A8000RU routers, check your firmware version NOW. If it's 7.1cu.643_b20200521, isolate the device from the internet and your internal network and plan for immediate replacement or patching. Given the public exploit, expect active exploitation.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1059.004 Command and Scripting Interpreter: Unix Shell Execution

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

CVE-2026-7136 - Totolink A8000RU DMZ Command Injection

Sigma YAML — free preview 
title: CVE-2026-7136 - Totolink A8000RU DMZ Command Injection
id: scw-2026-04-27-ai-1
status: experimental
level: critical
description: |
  Detects attempts to exploit CVE-2026-7136 by targeting the setDmzCfg function in Totolink A8000RU devices. The rule looks for specific CGI paths and query parameters indicative of command injection attempts via the wanIdx argument, including common command injection payloads like 'ping', 'echo', 'wget', 'curl', 'nc', 'sh', and 'bash'.
author: SCW Feed Engine (AI-generated)
date: 2026-04-27
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-7136/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/cgi-bin/cstecgi.cgi'
      cs-uri-query|contains:
          - 'setDmzCfg'
      cs-uri-query|contains:
          - 'wanIdx='
      cs-uri-query|contains:
          - 'ping'
      cs-uri-query|contains:
          - 'echo'
      cs-uri-query|contains:
          - 'wget'
      cs-uri-query|contains:
          - 'curl'
      cs-uri-query|contains:
          - 'nc'
      cs-uri-query|contains:
          - 'sh'
      cs-uri-query|contains:
          - 'bash'
      condition: cs-uri AND cs-uri-query
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-7136 Vulnerability CVE-2026-7136

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedApril 27, 2026 at 19:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-7142 — A vulnerability was determined in Wooey up to 0.13.2. The

CVE-2026-7142 — A vulnerability was determined in Wooey up to 0.13.2. The impacted element is the function add_or_update_script of the file wooey/api/scripts.py of the component...

vulnerabilityCVEmedium-severitycwe-266cwe-285
/SCW Vulnerability Desk /MEDIUM /6.3 /⚑ 3 IOCs /⚙ 3 Sigma

CVE-2026-7141 — Vllm Vulnerability

CVE-2026-7141 — A vulnerability was found in vllm up to 0.19.0. The affected element is the function has_mamba_layers of the file vllm/v1/kv_cache_interface.py of the component...

vulnerabilityCVEmedium-severitycwe-908
/SCW Vulnerability Desk /MEDIUM /5.6 /⚑ 2 IOCs /⚙ 4 Sigma

CVE-2026-7140: Critical OS Command Injection in Totolink A8000RU Routers

CVE-2026-7140 — A vulnerability has been found in Totolink A8000RU 7.1cu.643_b20200521. Impacted is the function CsteSystem of the file /cgi-bin/cstecgi.cgi of the component CGI Handler....

vulnerabilityCVEcriticalhigh-severitycommand-injectioncwe-77cwe-78
/SCW Vulnerability Desk /CRITICAL /9.8 /⚑ 5 IOCs /⚙ 3 Sigma