Totolink A8000RU Critical OS Command Injection (CVE-2026-7203)

/CRITICAL /CVSS 9.8/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvecriticalhigh-severitycommand-injectioncwe-77cwe-78
Totolink A8000RU Critical OS Command Injection (CVE-2026-7203)

The National Vulnerability Database has disclosed CVE-2026-7203, a critical OS command injection vulnerability impacting Totolink A8000RU routers, specifically version 7.1cu.643_b20200521. This flaw resides within the setUrlFilterRules function of the /cgi-bin/cstecgi.cgi component, where manipulating the enable argument allows for remote command execution. The CVSS score is a maximum 9.8, indicating extreme severity and ease of exploitation.

This is a classic unauthenticated remote code execution scenario. An attacker can leverage this vulnerability without needing any credentials, directly injecting arbitrary OS commands into the device’s operating system. The National Vulnerability Database states that an exploit for this vulnerability has been made public, meaning it’s likely being actively weaponized or will be soon. Defenders must assume this is an active threat.

The implications are dire. Successful exploitation grants full control over the router, allowing attackers to pivot deeper into the network, intercept traffic, establish persistence, or launch further attacks. Given the widespread use of SOHO/SMB routers, this vulnerability could expose many smaller organizations and remote workers to significant risk.

What This Means For You

  • If your organization uses Totolink A8000RU routers, specifically version 7.1cu.643_b20200521, you are immediately exposed. Verify if these devices are present in your environment, especially in remote offices or for work-from-home setups. Isolate or replace affected devices immediately, as patching may not be an option if the vendor has not released a fix. Block external access to the administration interfaces of these devices if direct replacement isn't feasible.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1059.004 Command and Scripting Interpreter: Unix Shell Execution

🛡️ Detection Rules

2 rules · 6 SIEM formats

2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

CVE-2026-7203 - Totolink A8000RU OS Command Injection via setUrlFilterRules

Sigma YAML — free preview 
title: CVE-2026-7203 - Totolink A8000RU OS Command Injection via setUrlFilterRules
id: scw-2026-04-28-ai-1
status: experimental
level: critical
description: |
  Detects attempts to exploit CVE-2026-7203 by targeting the setUrlFilterRules function in Totolink A8000RU devices. The rule specifically looks for requests to '/cgi-bin/cstecgi.cgi' containing 'setUrlFilterRules' and 'enable=' along with characters indicative of command injection (;, |, &) within the query string. This is a critical initial access vector for this vulnerability.
author: SCW Feed Engine (AI-generated)
date: 2026-04-28
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-7203/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/cgi-bin/cstecgi.cgi'
      cs-uri-query|contains:
          - 'setUrlFilterRules'
      cs-uri-query|contains:
          - 'enable='
      cs-uri-query|contains:
          - ' ' 
  selection_command_injection:
      cs-uri-query|contains:
          - ';'
      cs-uri-query|contains:
          - '|'
      cs-uri-query|contains:
          - '&'
  condition: selection AND selection_command_injection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-7203 Command Injection Totolink A8000RU 7.1cu.643_b20200521
CVE-2026-7203 Command Injection Vulnerable function: setUrlFilterRules
CVE-2026-7203 Command Injection Vulnerable file: /cgi-bin/cstecgi.cgi
CVE-2026-7203 Command Injection Vulnerable component: CGI Handler
CVE-2026-7203 Command Injection Manipulation of argument: enable

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedApril 28, 2026 at 04:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-7218: Totolink N300RT Buffer Overflow Exploited Remotely

CVE-2026-7218 — A vulnerability was detected in Totolink N300RT 3.4.0-B20250430. The impacted element is the function is_cmd_string_valid of the file /boafrm/formWsc of the component libapmib.so....

vulnerabilityCVEhigh-severitybuffer-overflowcwe-119cwe-120
/SCW Vulnerability Desk /HIGH /7.2 /⚑ 3 IOCs /⚙ 5 Sigma

CVE-2026-7217 — Deepractice PromptX Path Traversal

CVE-2026-7217 — A security vulnerability has been detected in Deepractice PromptX up to 2.4.0. The affected element is the function read_docx/read_xlsx/read_pptx/list_xlsx_sheets/read_pdf of the file packages/mcp-office/src/index.ts...

vulnerabilityCVEmedium-severitypath-traversalcwe-22cwe-36
/SCW Vulnerability Desk /MEDIUM /5.3 /⚑ 3 IOCs /⚙ 3 Sigma

CVE-2026-7216: donchelo processing-claude-mcp-bridge Path Traversal

CVE-2026-7216 — A weakness has been identified in donchelo processing-claude-mcp-bridge up to e017b20a4b592a45531a6392f494007f04e661bd. Impacted is an unknown function of the file processing_server.py of the component...

vulnerabilityCVEhigh-severitypath-traversalcwe-22
/SCW Vulnerability Desk /HIGH /7.3 /⚑ 4 IOCs /⚙ 3 Sigma