🚨 BREAKING

CVE-2026-7153: Critical OS Command Injection in Totolink A8000RU Routers

/CRITICAL /CVSS 9.8/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvecriticalhigh-severitycommand-injectioncwe-77cwe-78
CVE-2026-7153: Critical OS Command Injection in Totolink A8000RU Routers

The National Vulnerability Database has disclosed CVE-2026-7153, a critical OS command injection vulnerability in Totolink A8000RU routers running firmware version 7.1cu.643_b20200521. This flaw resides within the setMiniuiHomeInfoShow function of the /cgi-bin/cstecgi.cgi file, specifically within the CGI Handler component. Attackers can exploit this by manipulating the sys_info argument.

This vulnerability carries a CVSSv3.1 score of 9.8, indicating its critical severity. It allows for remote, unauthenticated command injection, granting attackers full control over the device. The exploit code is publicly available, significantly increasing the immediate risk of widespread compromise for unpatched devices. There are no specified affected products beyond the Totolink A8000RU router mentioned.

For defenders, this means any internet-exposed Totolink A8000RU device running the vulnerable firmware is an open door. Attackers can leverage this to establish persistent access, pivot into internal networks, or integrate devices into botnets. Given the public exploit, mass scanning and exploitation attempts are highly probable. Prioritize patching or isolating these devices immediately.

What This Means For You

  • If your organization uses Totolink A8000RU routers, especially for remote access or critical infrastructure, you are directly exposed. This is a 9.8 CVSS critical vulnerability with a public exploit. Immediately identify all Totolink A8000RU devices, confirm their firmware version, and apply available patches. If patching isn't feasible, pull them off the network or place them behind stringent firewall rules that block external access to the administrative interface. Audit network logs for any unusual outbound connections from these devices.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1059.004 Command and Scripting Interpreter: Unix Shell Execution

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1059.004 Execution

CVE-2026-7153: OS Command Injection via setMiniuiHomeInfoShow in Totolink Router

Sigma YAML — free preview 
title: CVE-2026-7153: OS Command Injection via setMiniuiHomeInfoShow in Totolink Router
id: scw-2026-04-27-ai-1
status: experimental
level: critical
description: |
  Detects attempts to exploit CVE-2026-7153 by targeting the setMiniuiHomeInfoShow function in Totolink A8000RU routers. The rule looks for specific URI paths and query parameters indicative of command injection attempts, specifically targeting the 'sys_info' argument with common command injection characters like spaces, '&&', and ';', and common commands like 'ping'.
author: SCW Feed Engine (AI-generated)
date: 2026-04-27
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-7153/
tags:
  - attack.execution
  - attack.t1059.004
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/cgi-bin/cstecgi.cgi'
      cs-uri-query|contains:
          - 'setMiniuiHomeInfoShow'
      cs-uri-query|contains:
          - 'sys_info='
      cs-uri-query|contains:
          - 'ping'
      cs-uri-query|contains:
          - ' ' 
      cs-uri-query|contains:
          - '&&'
      cs-uri-query|contains:
          - ';'
  condition: cs-uri AND cs-uri-query
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-7153 Command Injection Totolink A8000RU 7.1cu.643_b20200521
CVE-2026-7153 Command Injection Vulnerable function: setMiniuiHomeInfoShow
CVE-2026-7153 Command Injection Vulnerable file: /cgi-bin/cstecgi.cgi
CVE-2026-7153 Command Injection Vulnerable component: CGI Handler
CVE-2026-7153 Command Injection Vulnerable argument: sys_info

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedApril 27, 2026 at 23:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-7191: qnabot-on-aws Admin RCE via Prototype Manipulation

CVE-2026-7191 — Improper use of the static-eval npm package in the open source solution qnabot-on-aws versions 7.2.4 and earlier may allow an authenticated administrator to...

vulnerabilityCVEhigh-severitycwe-94
/SCW Vulnerability Desk /HIGH /7.2 /⚑ 4 IOCs /⚙ 3 Sigma

CVE-2026-7158: dmitryglhf mcp-url-downloader SSRF Vulnerability

CVE-2026-7158 — A vulnerability has been found in dmitryglhf mcp-url-downloader up to 4b8cf2de55f6e8864a77d108e8a94a5b8e4394c6. Affected by this issue is the function _validate_url_safe of the file src/mcp_url_downloader/server.py....

vulnerabilityCVEhigh-severityserver-side-request-forgerycwe-918
/SCW Vulnerability Desk /HIGH /7.3 /⚑ 2 IOCs /⚙ 3 Sigma

CVE-2026-7157: Aider-MCP-Server Command Injection Vulnerability

CVE-2026-7157 — A flaw has been found in disler aider-mcp-server up to b2516fa466d0d851932da92ee6d0e66946db9efc. Affected by this vulnerability is an unknown functionality of the file src/aider_mcp_server/server.py...

vulnerabilityCVEhigh-severitycommand-injectioncwe-74cwe-77
/SCW Vulnerability Desk /HIGH /7.3 /⚑ 3 IOCs /⚙ 2 Sigma