Within a few days in late April 2026, 22 CVEs rated CRITICAL (CVSS 9.8) were published against the Totolink A8000RU router on firmware 7.1cu.643_b20200521. They all exploit the same component — the CGI binary /cgi-bin/cstecgi.cgi — and they all enable remote, unauthenticated OS command injection, with public exploits. This article consolidates the lot to provide a coherent picture rather than 22 isolated factsheets.
If you operate a fleet that includes this model (residential deployments, SMB, small branch offices), treat these devices as compromised by default until they are isolated or replaced.
Technical Details
Common vulnerable component
The /cgi-bin/cstecgi.cgi binary processes requests for the admin panel. Several internal functions take an HTTP parameter as input that is passed directly to a system call (system(), popen() or equivalent) with no sanitization. An attacker can therefore inject shell separators (;, &&, |, `) in the parameter value to execute arbitrary commands.
Common characteristics across the 22 CVEs
- CVSS 3.1: 9.8 (CRITICAL)
- Vector:
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - Authentication required: none
- Complexity: low
- Public exploit: yes for all 22
- CWE: CWE-78 (OS Command Injection)
- Privileges obtained: typically
root(CGI processes on home routers run as root)
Full CVE table
| CVE ID | Vulnerable function | Injectable parameter |
|---|---|---|
| CVE-2026-7121 | setWizardCfg | wizard |
| CVE-2026-7122 | setUPnPCfg | enable |
| CVE-2026-7123 | setIptvCfg | setIptvCfg |
| CVE-2026-7124 | setIpv6LanCfg | addrPrefixLen |
| CVE-2026-7125 | setWiFiEasyCfg | merge |
| CVE-2026-7136 | setDmzCfg | wanIdx |
| CVE-2026-7137 | setStorageCfg | sambaEnabled |
| CVE-2026-7138 | setNtpCfg | tz |
| CVE-2026-7139 | setWiFiAclRules | mode |
| CVE-2026-7140 | CsteSystem | HTTP |
| CVE-2026-7152 | setTelnetCfg | telnet_enabled |
| CVE-2026-7153 | setMiniuiHomeInfoShow | sys_info |
| CVE-2026-7154 | setAdvancedInfoShow | tty_server |
| CVE-2026-7155 | setLoginPasswordCfg | admpass |
| CVE-2026-7156 | CsteSystem | HTTP |
| CVE-2026-7202 | setWiFiWpsStart | wscDisabled |
| CVE-2026-7203 | setUrlFilterRules | enable |
| CVE-2026-7204 | setPptpServerCfg | enable |
| CVE-2026-7240 | setVpnAccountCfg | User |
| CVE-2026-7241 | setWiFiBasicCfg | wifiOff |
| CVE-2026-7242 | setOpenVpnClientCfg | enabled |
| CVE-2026-7243 | setRadvdCfg | maxRtrAdvInterval |
| CVE-2026-7244 | setWiFiEasyGuestCfg | merge |
The scale points to a systemic design flaw in the CGI module, not 22 isolated oversights.
Affected Products and Versions
| Product | Firmware version | Status |
|---|---|---|
| Totolink A8000RU | 7.1cu.643_b20200521 | ❌ Vulnerable, no official patch released |
To date, Totolink has not released a fixed firmware or any official security advisory. The A8000RU has been on the market for several years and falls into the consumer-grade segment — lack of coordinated support is the most likely scenario.
Exploitation and Impact
Attack vector
Any network interface exposing the router's HTTP admin panel allows exploitation. If admin access is reachable from the internet (a common configuration once remote management is enabled), any attacker can compromise the router in seconds.
Post-compromise impact
- Full persistence: modify firmware, disable updates, install a backdoor
- Internal network attack: pivot to LAN machines, sniff traffic, DNS MITM
- Botnet recruitment: compromised SOHO routers are heavily used by Mirai operators and derivatives (TheMoon, Mozi)
- Credential theft: intercept all outgoing HTTP requests, redirect to phishing pages
- C2 proxy: use the router as a relay node for third-party attacks
Public exploits
All 22 CVEs were disclosed with complete PoCs. Reproducing the attack is trivial:
# Generic example (CVE-2026-7138 - setNtpCfg)
curl "http://<router-ip>/cgi-bin/cstecgi.cgi" \
--data 'topicurl=setNtpCfg&tz=`id > /tmp/pwn`'
No account required. Botnet operators have already begun scanning the internet for these devices.
Detection and IOCs
Indicators of compromise
- Unusual outbound traffic from the router IP (to C2, IRC, blacklisted IPs)
- Unexpected configuration changes (DNS, NAT rules, admin accounts)
- Degraded performance (CPU saturated by crypto-mining or flooding)
- Unexpected outgoing SSH or Telnet connections
Logs to monitor (upstream — on the firewall or IDS)
# Detect suspicious access to the CGI panel
suricata: alert http any any -> $TOTOLINK_IPS any (msg:"Totolink CGI command injection attempt"; \
http.uri; content:"/cgi-bin/cstecgi.cgi"; \
http.request_body; pcre:"/[;&|`]/"; sid:1000001; rev:1;)
Manual compromise check
If you have SSH/Telnet (or serial console) access to the router:
# Check for unusual processes
ps | grep -vE "init|udhcpc|dnsmasq|httpd|telnetd|sshd"
# Check crontab and modified binaries
crontab -l
ls -la /tmp/ /var/tmp/ /usr/bin/
# Check active connections
netstat -tnp
Mitigation
Recommended action: replace or isolate
Since no official patch is available, the only effective measures are:
- Replace the device with a supported model (other brands with maintained firmware, or OpenWrt where compatible)
- Strict network isolation if replacement isn't immediate:
- Block all internet access to the admin panel (disable remote management)
- Restrict the admin interface to a single internal management IP via ACL
- Place the router behind an upstream firewall that filters payloads containing shell metacharacters
Upstream workaround
If you operate an upstream firewall (pfSense, OPNsense, Fortigate, etc.) that sees traffic to the router:
# Block requests containing shell separators to /cgi-bin/cstecgi.cgi
# (adapt to your IDS/IPS engine)
LAN audit
Treat the LAN behind an unpatched Totolink A8000RU as potentially compromised: any device that has routed traffic through this router may have been MITM'd or sniffed. Audit credentials, certificates, and machine accounts granted to those hosts.
Why Continuous Monitoring Matters
This incident illustrates a classic pattern: a single failing device can stack 22 critical CVEs in a single week, with no vendor response. A continuous inventory of your fleet lets you detect the mass appearance of CVEs on a given product and make the decision to retire it before an attack lands.
With cveo.tech, track the routers and other network gear in your fleet and get automatic alerts when a critical CVE affects one of your versions — including when the vendor offers no fix and you need to make the call to replace.