Totolink RCE: CVE-2026-7243 Exposes Routers to Critical Command Injection
The National Vulnerability Database has detailed CVE-2026-7243, a critical vulnerability in Totolink’s A8000RU router firmware version 7.1cu.643_b20200521. Attackers can exploit a flaw in the CGI Handler’s setRadvdCfg function within the cgi-bin/cstecgi.cgi file. By manipulating the maxRtrAdvInterval argument, remote attackers can achieve arbitrary operating system command injection.
This vulnerability carries a CVSS score of 9.8 (Critical) and is remotely exploitable without user interaction or privileges. The availability of public exploits means this device is a prime target for threat actors seeking to compromise network perimeters. Organizations deploying these routers face significant risk if the firmware remains unpatched.
Defenders must immediately identify and update or isolate any Totolink A8000RU devices running the affected firmware. Given the critical nature and public exploit availability, a proactive approach is essential. Network segmentation and strict access controls on router management interfaces are crucial hardening measures.
What This Means For You
- If your organization uses Totolink A8000RU routers with firmware version 7.1cu.643_b20200521, you must patch immediately or isolate these devices. This flaw allows remote command injection, potentially giving attackers full control over your network edge.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-7243 Totolink A8000RU Command Injection via setRadvdCfg
title: CVE-2026-7243 Totolink A8000RU Command Injection via setRadvdCfg
id: scw-2026-04-28-ai-1
status: experimental
level: critical
description: |
This rule detects exploitation attempts against CVE-2026-7243 affecting Totolink A8000RU routers. The vulnerability allows OS command injection through the setRadvdCfg function by manipulating the maxRtrAdvInterval argument. The detection looks for the specific CGI script and query parameters indicative of an exploit, including common command injection payloads like 'ping', 'wget', or 'busybox' within the maxRtrAdvInterval parameter.
author: SCW Feed Engine (AI-generated)
date: 2026-04-28
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-7243/
tags:
- attack.execution
- attack.t1059.004
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/cgi-bin/cstecgi.cgi'
cs-uri-query|contains:
- 'setRadvdCfg'
cs-uri-query|contains:
- 'maxRtrAdvInterval='
cs-uri-query|contains:
- 'ping'
cs-uri-query|contains:
- 'wget'
cs-uri-query|contains:
- 'busybox'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-7243 | Vulnerability | CVE-2026-7243 |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 28, 2026 at 12:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-7280 — Code Execution
CVE-2026-7280 — AVACAST developed by eMPIA Technology has a Unquoted Service Path vulnerability, allowing privileged local attackers to place a malicious executable file in a...
AVACAST DLL Hijacking (CVE-2026-7279) Allows System Code Execution
CVE-2026-7279 — AVACAST developed by eMPIA Technology, has a DLL Hijacking vulnerability, allowing authenticated local attackers to place a malicious DLL in a specific directory,...
CVE-2026-7264 — SQL Injection
CVE-2026-7264 — A weakness has been identified in SourceCodester Pizzafy Ecommerce System 1.0. Impacted is the function get_cart_items of the file /admin/ajax.php?action=get_cart_items. Executing a manipulation...