🚨 BREAKING

Totolink A8000RU Faces Critical Remote Command Injection (CVE-2026-7155)

/CRITICAL /CVSS 9.8/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvecriticalhigh-severitycommand-injectioncwe-77cwe-78
Totolink A8000RU Faces Critical Remote Command Injection (CVE-2026-7155)

A critical security vulnerability, identified as CVE-2026-7155, has been disclosed in Totolink A8000RU firmware version 7.1cu.643_b20200521. This flaw resides within the setLoginPasswordCfg function of the /cgi-bin/cstecgi.cgi component, specifically through the manipulation of the admpass argument. The National Vulnerability Database attributes this to an OS command injection, a dangerous class of vulnerability often leading to full system compromise.

This is a severe issue. National Vulnerability Database has assigned CVE-2026-7155 a CVSSv3.1 score of 9.8 (CRITICAL), indicating that it is easily exploitable remotely without authentication (AV:N, PR:N, UI:N). The public disclosure of an exploit further raises the alarm. Attackers can leverage this to execute arbitrary commands on affected devices, potentially gaining complete control over the router and, by extension, the network it manages. This translates directly to network persistence, data exfiltration, or launching further attacks from within the victim’s infrastructure.

For defenders, this means any Totolink A8000RU devices running the specified firmware are effectively wide open. The attacker’s calculus is straightforward: find these devices, exploit the publicly available proof-of-concept, and gain a foothold. This isn’t theoretical; it’s a direct threat that needs immediate attention. Command injection vulnerabilities are a gift for adversaries, offering a low-effort path to high-impact results, aligning with CWE-77 and CWE-78.

What This Means For You

  • If your organization uses Totolink A8000RU routers, specifically firmware version 7.1cu.643_b20200521, you must prioritize patching or isolating these devices immediately. This remote command injection (CVE-2026-7155) allows unauthenticated attackers to execute arbitrary code, leading to complete device compromise. Audit your network for these specific devices and ensure they are either updated or removed from internet-facing positions.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1059.004 Command and Scripting Interpreter: Unix Shell Execution

🛡️ Detection Rules

2 rules · 6 SIEM formats

2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

CVE-2026-7155 Totolink A8000RU Command Injection via setLoginPasswordCfg

Sigma YAML — free preview 
title: CVE-2026-7155 Totolink A8000RU Command Injection via setLoginPasswordCfg
id: scw-2026-04-27-ai-1
status: experimental
level: critical
description: |
  Detects attempts to exploit CVE-2026-7155 by targeting the setLoginPasswordCfg function in Totolink A8000RU devices. The rule specifically looks for requests to /cgi-bin/cstecgi.cgi with the 'setLoginPasswordCfg' parameter and the 'admpass' argument, combined with characters commonly used in OS command injection payloads (&&, ;, |, $, `).
author: SCW Feed Engine (AI-generated)
date: 2026-04-27
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-7155/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/cgi-bin/cstecgi.cgi'
      cs-uri-query|contains:
          - 'setLoginPasswordCfg'
      cs-uri-query|contains:
          - 'admpass='
  selection_command_injection:
      cs-uri-query|contains:
          - '&&'
      cs-uri-query|contains:
          - ';'
      cs-uri-query|contains:
          - '|'
      cs-uri-query|contains:
          - '$'
      cs-uri-query|contains:
          - '`'
  condition: selection AND selection_command_injection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-7155 Command Injection Totolink A8000RU version 7.1cu.643_b20200521
CVE-2026-7155 Command Injection Vulnerable file: /cgi-bin/cstecgi.cgi
CVE-2026-7155 Command Injection Vulnerable function: setLoginPasswordCfg
CVE-2026-7155 Command Injection Vulnerable argument: admpass

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedApril 28, 2026 at 00:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-7178: ChatGPTNextWeb NextChat SSRF Vulnerability

CVE-2026-7178 — A weakness has been identified in ChatGPTNextWeb NextChat up to 2.16.1. This affects the function storeUrl of the file app/api/artifacts/route.ts of the component...

vulnerabilityCVEhigh-severityserver-side-request-forgerycwe-918
/SCW Vulnerability Desk /HIGH /7.3 /⚑ 5 IOCs /⚙ 3 Sigma

ChatGPTNextWeb NextChat SSRF Vulnerability (CVE-2026-7177) Exposed

CVE-2026-7177 — A security flaw has been discovered in ChatGPTNextWeb NextChat up to 2.16.1. Affected by this issue is the function proxyHandler of the file...

vulnerabilityCVEhigh-severityserver-side-request-forgerycwe-918
/SCW Vulnerability Desk /HIGH /7.3 /⚑ 2 IOCs /⚙ 3 Sigma

Tenda HG3 Router Command Injection (CVE-2026-7160) Exposes Networks

CVE-2026-7160 — A vulnerability was determined in Tenda HG3 2.0. This vulnerability affects the function formTracert of the file /boaform/formTracert. Executing a manipulation of the...

vulnerabilityCVEhigh-severitycommand-injectioncwe-74cwe-77
/SCW Vulnerability Desk /HIGH /8.8 /⚑ 4 IOCs /⚙ 5 Sigma