🚨 BREAKING

Totolink Router RCE: CVE-2026-7137 Exposes Home and Small Business Networks

/CRITICAL /CVSS 9.8/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvecriticalhigh-severitycommand-injectioncwe-77cwe-78
Totolink Router RCE: CVE-2026-7137 Exposes Home and Small Business Networks

The National Vulnerability Database (NVD) has disclosed CVE-2026-7137, a critical vulnerability in Totolink’s A8000RU router firmware (version 7.1cu.643_b20200521). This flaw resides within the CGI handler component, specifically in the setStorageCfg function. Attackers can exploit this by manipulating the sambaEnabled argument to inject operating system commands remotely. The CVSS score of 9.8 underscores the severity, indicating a high potential for complete system compromise.

This vulnerability presents a significant risk, particularly for home users and small businesses that rely on these routers for network connectivity. The NVD highlights that the exploit is publicly disclosed and potentially already in use. Remote command injection on a network device like a router can lead to a full network takeover, allowing attackers to spy on traffic, redirect users to malicious sites, or use the compromised device as a pivot point for further attacks within the network.

Defenders should immediately identify and patch or replace any affected Totolink A8000RU devices. Given the public exploit availability, assume these devices are targeted. Network segmentation and robust firewall rules are crucial to limit the blast radius if a device is compromised. Prioritize firmware updates and consider disabling unnecessary services, especially Samba, if not actively required.

What This Means For You

  • If you manage or use Totolink A8000RU routers, specifically version 7.1cu.643_b20200521, check your firmware version and patch immediately or consider replacing the device. This critical RCE vulnerability allows unauthenticated remote attackers to gain full control.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1059.004 Command and Scripting Interpreter: Unix Shell Execution

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

CVE-2026-7137 Totolink Router RCE via setStorageCfg - Free Tier

Sigma YAML — free preview 
title: CVE-2026-7137 Totolink Router RCE via setStorageCfg - Free Tier
id: scw-2026-04-27-ai-1
status: experimental
level: critical
description: |
  Detects the specific exploit pattern for CVE-2026-7137 targeting the setStorageCfg function in Totolink routers. The rule looks for requests to /cgi-bin/cstecgi.cgi with the 'setStorageCfg' and 'sambaEnabled' parameters, and crucially, a space within the query string which is indicative of command injection attempts like 'ping ' followed by a target.
author: SCW Feed Engine (AI-generated)
date: 2026-04-27
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-7137/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/cgi-bin/cstecgi.cgi'
      cs-uri-query|contains:
          - 'setStorageCfg'
      cs-uri-query|contains:
          - 'sambaEnabled'
      cs-uri-query|contains:
          - 'ping'
      cs-uri-query|contains:
          - ' ' 
  condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-7137 Command Injection Totolink A8000RU version 7.1cu.643_b20200521
CVE-2026-7137 Command Injection Vulnerable file: /cgi-bin/cstecgi.cgi
CVE-2026-7137 Command Injection Vulnerable function: setStorageCfg
CVE-2026-7137 Command Injection Vulnerable argument: sambaEnabled

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedApril 27, 2026 at 19:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-7142 — A vulnerability was determined in Wooey up to 0.13.2. The

CVE-2026-7142 — A vulnerability was determined in Wooey up to 0.13.2. The impacted element is the function add_or_update_script of the file wooey/api/scripts.py of the component...

vulnerabilityCVEmedium-severitycwe-266cwe-285
/SCW Vulnerability Desk /MEDIUM /6.3 /⚑ 3 IOCs /⚙ 3 Sigma

CVE-2026-7141 — Vllm Vulnerability

CVE-2026-7141 — A vulnerability was found in vllm up to 0.19.0. The affected element is the function has_mamba_layers of the file vllm/v1/kv_cache_interface.py of the component...

vulnerabilityCVEmedium-severitycwe-908
/SCW Vulnerability Desk /MEDIUM /5.6 /⚑ 2 IOCs /⚙ 4 Sigma

CVE-2026-7140: Critical OS Command Injection in Totolink A8000RU Routers

CVE-2026-7140 — A vulnerability has been found in Totolink A8000RU 7.1cu.643_b20200521. Impacted is the function CsteSystem of the file /cgi-bin/cstecgi.cgi of the component CGI Handler....

vulnerabilityCVEcriticalhigh-severitycommand-injectioncwe-77cwe-78
/SCW Vulnerability Desk /CRITICAL /9.8 /⚑ 5 IOCs /⚙ 3 Sigma