🚨 BREAKING

Totolink A8000RU Critical OS Command Injection (CVE-2026-7154)

/CRITICAL /CVSS 9.8/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvecriticalhigh-severitycommand-injectioncwe-77cwe-78
Totolink A8000RU Critical OS Command Injection (CVE-2026-7154)

A critical vulnerability, tracked as CVE-2026-7154, has been identified in Totolink A8000RU firmware version 7.1cu.643_b20200521. The National Vulnerability Database reports this flaw resides in the setAdvancedInfoShow function within the /cgi-bin/cstecgi.cgi component.

This weakness allows for remote OS command injection through manipulation of the tty_server argument. With a CVSS score of 9.8, this vulnerability is considered critical. Attackers can exploit this remotely, and public exploit code is already available, significantly increasing the immediate risk.

The implications are severe: successful exploitation grants attackers arbitrary command execution on the affected device. This could lead to full device compromise, network pivot points, data exfiltration, or denial of service. The widespread use of such routers in home and small office environments makes this a high-priority threat for many organizations and individuals.

What This Means For You

  • If your organization or employees use Totolink A8000RU routers, especially the 7.1cu.643_b20200521 firmware, immediate action is required. Prioritize patching or replacing these devices. Audit network logs for any unusual activity originating from or targeting these routers, as public exploit code means active exploitation is highly probable.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1059.004 Command and Scripting Interpreter: Unix Shell Execution

🛡️ Detection Rules

2 rules · 6 SIEM formats

2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

CVE-2026-7154 Totolink A8000RU OS Command Injection via tty_server

Sigma YAML — free preview 
title: CVE-2026-7154 Totolink A8000RU OS Command Injection via tty_server
id: scw-2026-04-27-ai-1
status: experimental
level: critical
description: |
  Detects the specific OS command injection vulnerability (CVE-2026-7154) in Totolink A8000RU devices. The rule looks for requests to '/cgi-bin/cstecgi.cgi' with the 'setAdvancedInfoShow' function and a 'tty_server' parameter containing a command like 'ping' followed by a space, indicating a potential command injection attempt.
author: SCW Feed Engine (AI-generated)
date: 2026-04-27
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-7154/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|startswith:
          - '/cgi-bin/cstecgi.cgi'
      cs-uri-query|contains:
          - 'setAdvancedInfoShow'
      cs-uri-query|contains:
          - 'tty_server='
      cs-uri-query|contains:
          - 'ping'
      cs-uri-query|contains:
          - ' ' 
  condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-7154 Command Injection Totolink A8000RU version 7.1cu.643_b20200521
CVE-2026-7154 Command Injection Vulnerable component: CGI Handler
CVE-2026-7154 Command Injection Vulnerable file: /cgi-bin/cstecgi.cgi
CVE-2026-7154 Command Injection Vulnerable function: setAdvancedInfoShow
CVE-2026-7154 Command Injection Vulnerable argument: tty_server

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedApril 28, 2026 at 00:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-7178: ChatGPTNextWeb NextChat SSRF Vulnerability

CVE-2026-7178 — A weakness has been identified in ChatGPTNextWeb NextChat up to 2.16.1. This affects the function storeUrl of the file app/api/artifacts/route.ts of the component...

vulnerabilityCVEhigh-severityserver-side-request-forgerycwe-918
/SCW Vulnerability Desk /HIGH /7.3 /⚑ 5 IOCs /⚙ 3 Sigma

ChatGPTNextWeb NextChat SSRF Vulnerability (CVE-2026-7177) Exposed

CVE-2026-7177 — A security flaw has been discovered in ChatGPTNextWeb NextChat up to 2.16.1. Affected by this issue is the function proxyHandler of the file...

vulnerabilityCVEhigh-severityserver-side-request-forgerycwe-918
/SCW Vulnerability Desk /HIGH /7.3 /⚑ 2 IOCs /⚙ 3 Sigma

Tenda HG3 Router Command Injection (CVE-2026-7160) Exposes Networks

CVE-2026-7160 — A vulnerability was determined in Tenda HG3 2.0. This vulnerability affects the function formTracert of the file /boaform/formTracert. Executing a manipulation of the...

vulnerabilityCVEhigh-severitycommand-injectioncwe-74cwe-77
/SCW Vulnerability Desk /HIGH /8.8 /⚑ 4 IOCs /⚙ 5 Sigma