Totolink A8000RU Critical OS Command Injection (CVE-2026-7202)

/CRITICAL /CVSS 9.8/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvecriticalhigh-severitycommand-injectioncwe-77cwe-78
Totolink A8000RU Critical OS Command Injection (CVE-2026-7202)

The National Vulnerability Database has disclosed a critical OS command injection vulnerability, CVE-2026-7202, affecting Totolink A8000RU routers running firmware version 7.1cu.643_b20200521. This flaw exists within the setWiFiWpsStart function of the /cgi-bin/cstecgi.cgi component.

Attackers can exploit this vulnerability by manipulating the wscDisabled argument, leading to remote code execution. The severity is rated as 9.8 (CRITICAL) on the CVSS scale, indicating a high potential for impact without requiring authentication or user interaction. The exploit code has been publicly disclosed, significantly increasing the immediate risk for unpatched devices.

This is a classic perimeter compromise scenario. Given the public disclosure, any Totolink A8000RU device exposed to the internet with the affected firmware is a sitting duck. Attackers will leverage this for initial access, network pivoting, and establishing persistent footholds, turning a simple router into a gateway to internal networks.

What This Means For You

  • If your organization uses Totolink A8000RU routers, especially in internet-facing deployments, you need to identify and isolate these devices immediately. Verify your firmware version against 7.1cu.643_b20200521 and seek vendor advisories for patches or mitigation steps. Assume compromise if these devices are unpatched and exposed; conduct forensic analysis to detect unauthorized access.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1059.004 Command and Scripting Interpreter: Unix Shell Execution

🛡️ Detection Rules

2 rules · 6 SIEM formats

2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

CVE-2026-7202 Totolink A8000RU OS Command Injection via setWiFiWpsStart

Sigma YAML — free preview 
title: CVE-2026-7202 Totolink A8000RU OS Command Injection via setWiFiWpsStart
id: scw-2026-04-28-ai-1
status: experimental
level: critical
description: |
  This rule detects attempts to exploit CVE-2026-7202 by targeting the setWiFiWpsStart function in Totolink A8000RU devices. It specifically looks for requests to /cgi-bin/cstecgi.cgi with the 'setWiFiWpsStart' function and the 'wscDisabled' parameter, followed by characters indicative of command injection (e.g., ';', '|', '&&', '||'). This is a critical initial access vulnerability.
author: SCW Feed Engine (AI-generated)
date: 2026-04-28
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-7202/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/cgi-bin/cstecgi.cgi'
      cs-uri-query|contains:
          - 'setWiFiWpsStart'
      cs-uri-query|contains:
          - 'wscDisabled='
  selection_command_injection:
      cs-uri-query|contains:
          - 'wscDisabled=;'
          - 'wscDisabled=|'
          - 'wscDisabled= &&'
          - 'wscDisabled= ||'
  condition: selection AND selection_command_injection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-7202 Command Injection Totolink A8000RU version 7.1cu.643_b20200521
CVE-2026-7202 Command Injection Vulnerable component: CGI Handler
CVE-2026-7202 Command Injection Vulnerable file: /cgi-bin/cstecgi.cgi
CVE-2026-7202 Command Injection Vulnerable function: setWiFiWpsStart
CVE-2026-7202 Command Injection Manipulation of argument: wscDisabled

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedApril 28, 2026 at 04:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-7218: Totolink N300RT Buffer Overflow Exploited Remotely

CVE-2026-7218 — A vulnerability was detected in Totolink N300RT 3.4.0-B20250430. The impacted element is the function is_cmd_string_valid of the file /boafrm/formWsc of the component libapmib.so....

vulnerabilityCVEhigh-severitybuffer-overflowcwe-119cwe-120
/SCW Vulnerability Desk /HIGH /7.2 /⚑ 3 IOCs /⚙ 5 Sigma

CVE-2026-7217 — Deepractice PromptX Path Traversal

CVE-2026-7217 — A security vulnerability has been detected in Deepractice PromptX up to 2.4.0. The affected element is the function read_docx/read_xlsx/read_pptx/list_xlsx_sheets/read_pdf of the file packages/mcp-office/src/index.ts...

vulnerabilityCVEmedium-severitypath-traversalcwe-22cwe-36
/SCW Vulnerability Desk /MEDIUM /5.3 /⚑ 3 IOCs /⚙ 3 Sigma

CVE-2026-7216: donchelo processing-claude-mcp-bridge Path Traversal

CVE-2026-7216 — A weakness has been identified in donchelo processing-claude-mcp-bridge up to e017b20a4b592a45531a6392f494007f04e661bd. Impacted is an unknown function of the file processing_server.py of the component...

vulnerabilityCVEhigh-severitypath-traversalcwe-22
/SCW Vulnerability Desk /HIGH /7.3 /⚑ 4 IOCs /⚙ 3 Sigma