Totolink A7000R cstecgi.cgi setUpgradeFW command injection_CVE-2026-1623

5.3 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

Description

A weakness has been identified in Totolink A7000R 4.1cu.4154. Impacted is the function setUpgradeFW of the file /cgi-bin/cstecgi.cgi. This manipulation of the argument FileName causes command injection. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks.

Basic Information

ID CVE-2026-1623

Source VulDB

Published Jan 29, 2026 at 20:32

Modified Jan 29, 2026 at 21:19

Affected Product

Vendor Totolink

Product A7000R

Version 4.1cu.4154

Affected Versions Totolink A7000R 4.1cu.4154

CWE Classification

CWE-77 CWE-74

References

{
    "lastseen": "",
    "description": "A weakness has been identified in Totolink A7000R 4.1cu.4154. Impacted is the function setUpgradeFW of the file /cgi-bin/cstecgi.cgi. This manipulation of the argument FileName causes command injection. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks.",
    "published": "2026-01-29T20:32:08.374Z",
    "modified": "2026-01-29T21:19:26.419Z",
    "type": "cve",
    "title": "Totolink A7000R cstecgi.cgi setUpgradeFW command injection",
    "source": "VulDB",
    "references": "https://vuldb.com/?id.343382\nhttps://vuldb.com/?ctiid.343382\nhttps://vuldb.com/?submit.740767\nhttps://github.com/xyh4ck/iot_poc/blob/main/TOTOLINK/A7000R/04_RCE_setUpgradeFW_RCE.md\nhttps://github.com/xyh4ck/iot_poc/blob/main/TOTOLINK/A7000R/04_RCE_setUpgradeFW_RCE.md#poc\nhttps://www.totolink.net/",
    "id": "CVE-2026-1623",
    "bulletinFamily": "",
    "cwe": [
        "CWE-77",
        "CWE-74"
    ],
    "cvelist": null,
    "sourceData": "Totolink A7000R 4.1cu.4154",
    "sourceHref": "",
    "cvss": {
        "score": 5.3,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "A7000R",
    "version": "4.1cu.4154",
    "vendor": "Totolink",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}