CVE-2026-7138: Critical Command Injection in Totolink Routers
The National Vulnerability Database has disclosed CVE-2026-7138, a critical vulnerability impacting Totolink A8000RU routers running firmware version 7.1cu.643_b20200521. This flaw resides within the CGI Handler component, specifically in the cgi-bin/cstecgi.cgi file. Attackers can exploit a weakness in the setNtpCfg function by manipulating the tz argument to achieve arbitrary OS command injection. The National Vulnerability Database highlights that this vulnerability is remotely exploitable and the exploit is publicly available, posing an immediate threat.
With a CVSS score of 9.8 (CRITICAL), this vulnerability allows unauthenticated, remote attackers to execute commands on the affected devices. This means attackers can potentially take full control of the router, leading to network compromise, data exfiltration, or the device being used as a pivot point for further attacks. Given the widespread use of consumer-grade routers, the potential attack surface is significant, and the public availability of an exploit drastically lowers the barrier for malicious actors. Defenders must prioritize patching or replacing affected devices immediately.
What This Means For You
- If your organization uses or has deployed Totolink A8000RU routers, check the firmware version immediately. If it matches 7.1cu.643_b20200521, you are vulnerable to remote command injection. Isolate these devices from critical networks and update firmware or replace the hardware without delay.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-7138: Totolink Router NTP Command Injection
title: CVE-2026-7138: Totolink Router NTP Command Injection
id: scw-2026-04-27-ai-1
status: experimental
level: critical
description: |
Detects attempts to exploit CVE-2026-7138 by targeting the setNtpCfg function in the /cgi-bin/cstecgi.cgi script. The rule specifically looks for the 'tz=' parameter containing backticks, which are used to inject OS commands. This is a critical initial access vector for compromising Totolink routers.
author: SCW Feed Engine (AI-generated)
date: 2026-04-27
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-7138/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/cgi-bin/cstecgi.cgi'
cs-uri-query|contains:
- 'setNtpCfg'
cs-uri-query|contains:
- 'tz='
cs-uri-query|contains:
- '`'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-7138 | Command Injection | Totolink A8000RU 7.1cu.643_b20200521 |
| CVE-2026-7138 | Command Injection | /cgi-bin/cstecgi.cgi |
| CVE-2026-7138 | Command Injection | function setNtpCfg |
| CVE-2026-7138 | Command Injection | argument tz |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 27, 2026 at 19:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-7142 — A vulnerability was determined in Wooey up to 0.13.2. The
CVE-2026-7142 — A vulnerability was determined in Wooey up to 0.13.2. The impacted element is the function add_or_update_script of the file wooey/api/scripts.py of the component...
CVE-2026-7141 — Vllm Vulnerability
CVE-2026-7141 — A vulnerability was found in vllm up to 0.19.0. The affected element is the function has_mamba_layers of the file vllm/v1/kv_cache_interface.py of the component...
CVE-2026-7140: Critical OS Command Injection in Totolink A8000RU Routers
CVE-2026-7140 — A vulnerability has been found in Totolink A8000RU 7.1cu.643_b20200521. Impacted is the function CsteSystem of the file /cgi-bin/cstecgi.cgi of the component CGI Handler....