Totolink A8000RU Critical Command Injection (CVE-2026-7152)
A critical vulnerability, CVE-2026-7152, has been identified in the Totolink A8000RU router, specifically in version 7.1cu.643_b20200521. The National Vulnerability Database reports that the flaw resides within the setTelnetCfg function of the /cgi-bin/cstecgi.cgi component. Manipulating the telnet_enabled argument leads directly to OS command injection.
This vulnerability carries a CVSS score of 9.8 (CRITICAL), indicating maximum severity. Attackers can exploit this remotely, and the exploit code is already publicly available. The ease of exploitation combined with remote access capability makes this a prime target for initial access by threat actors, allowing them to gain full control over affected devices.
For defenders, this means exposed Totolink A8000RU devices are sitting ducks. Adversaries are constantly scanning for known vulnerabilities with public exploits. This isn’t theoretical; it’s a direct route into your network perimeter. Given the nature of command injection, an attacker can execute arbitrary commands, establish persistence, and pivot deeper into the network.
What This Means For You
- If your organization uses Totolink A8000RU routers, especially the specified version, you must immediately assess your exposure. Prioritize patching or isolating these devices. Assume compromise if they are internet-facing and unpatched — audit network logs for unusual activity originating from these devices.
Related ATT&CK Techniques
🛡️ Detection Rules
2 rules · 6 SIEM formats2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-7152 Totolink A8000RU Command Injection via setTelnetCfg
title: CVE-2026-7152 Totolink A8000RU Command Injection via setTelnetCfg
id: scw-2026-04-27-ai-1
status: experimental
level: critical
description: |
Detects attempts to exploit CVE-2026-7152 by targeting the setTelnetCfg function in Totolink A8000RU devices. The rule looks for specific URI paths and query parameters indicative of an OS command injection attempt via the 'telnet_enabled' argument, which is a direct indicator of this vulnerability.
author: SCW Feed Engine (AI-generated)
date: 2026-04-27
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-7152/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/cgi-bin/cstecgi.cgi'
cs-uri-query|contains:
- 'setTelnetCfg'
cs-uri-query|contains:
- 'telnet_enabled=1'
cs-uri-query|contains:
- 'cmd='
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-7152 | Command Injection | Totolink A8000RU 7.1cu.643_b20200521 |
| CVE-2026-7152 | Command Injection | Vulnerable file: /cgi-bin/cstecgi.cgi |
| CVE-2026-7152 | Command Injection | Vulnerable function: setTelnetCfg |
| CVE-2026-7152 | Command Injection | Vulnerable argument: telnet_enabled |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 27, 2026 at 23:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-7191: qnabot-on-aws Admin RCE via Prototype Manipulation
CVE-2026-7191 — Improper use of the static-eval npm package in the open source solution qnabot-on-aws versions 7.2.4 and earlier may allow an authenticated administrator to...
CVE-2026-7158: dmitryglhf mcp-url-downloader SSRF Vulnerability
CVE-2026-7158 — A vulnerability has been found in dmitryglhf mcp-url-downloader up to 4b8cf2de55f6e8864a77d108e8a94a5b8e4394c6. Affected by this issue is the function _validate_url_safe of the file src/mcp_url_downloader/server.py....
CVE-2026-7157: Aider-MCP-Server Command Injection Vulnerability
CVE-2026-7157 — A flaw has been found in disler aider-mcp-server up to b2516fa466d0d851932da92ee6d0e66946db9efc. Affected by this vulnerability is an unknown functionality of the file src/aider_mcp_server/server.py...