CVE 9.3 CRITICAL

Totolink A8000RU CGI cstecgi.cgi setIptvCfg os command injection_CVE-2026-7123

April 27, 2026 invoker category_cve

9.3 / 10

CRITICAL

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

Description

A vulnerability was found in Totolink A8000RU 7.1cu.643_b20200521. Affected is the function setIptvCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Performing a manipulation of the argument setIptvCfg results in os command injection. The attack can be initiated remotely. The exploit has been made public and could be used.

AI Analysis

OS command injection vulnerability in Totolink A8000RU via manipulation of the setIptvCfg argument in the /cgi-bin/cstecgi.cgi file

Basic Information

ID CVE-2026-7123

Source VulDB

Published Apr 27, 2026 at 12:15

Affected Product

Vendor Totolink

Product A8000RU

Version 7.1cu.643_b20200521

Affected Versions Totolink A8000RU 7.1cu.643_b20200521

CWE Classification

CWE-78 CWE-77

AI Assessment

AI Score 9.3 / 10

AI Severity Critical

Vendor Totolink

Product A8000RU

Version 7.1cu.643_b20200521

References

{
    "lastseen": "",
    "description": "A vulnerability was found in Totolink A8000RU 7.1cu.643_b20200521. Affected is the function setIptvCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Performing a manipulation of the argument setIptvCfg results in os command injection. The attack can be initiated remotely. The exploit has been made public and could be used.",
    "published": "2026-04-27T12:15:12.275Z",
    "modified": "2026-04-27T12:15:12.275Z",
    "type": "cve",
    "title": "Totolink A8000RU CGI cstecgi.cgi setIptvCfg os command injection",
    "source": "VulDB",
    "references": "https://vuldb.com/vuln/359722\nhttps://vuldb.com/vuln/359722/cti\nhttps://vuldb.com/submit/800995\nhttps://github.com/Litengzheng/vuldb_new2/blob/main/A8000RU/vul_308/README.md\nhttps://www.totolink.net/",
    "id": "CVE-2026-7123",
    "bulletinFamily": "",
    "cwe": [
        "CWE-78",
        "CWE-77"
    ],
    "cvelist": null,
    "sourceData": "Totolink A8000RU 7.1cu.643_b20200521",
    "sourceHref": "",
    "cvss": {
        "score": 9.3,
        "severity": "CRITICAL",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "A8000RU",
    "version": "7.1cu.643_b20200521",
    "vendor": "Totolink",
    "ai_description": "OS command injection vulnerability in Totolink A8000RU via manipulation of the setIptvCfg argument in the /cgi-bin/cstecgi.cgi file",
    "ai_severity": "Critical",
    "ai_vendor": "Totolink",
    "ai_product": "A8000RU",
    "ai_version": "7.1cu.643_b20200521",
    "ai_score": 9.3
}

💭 Join the Security Discussion ❌ Cancel Reply