CVE-2026-7037
Published: 26 April 2026
Summary
CVE-2026-7037 is a high-severity Command Injection (CWE-77) vulnerability in Totolink A8000RU (inferred from references). Its CVSS base score is 8.9 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 24.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
A security flaw has been discovered in Totolink A8000RU 7.1cu.643_b20200521. This issue affects the function setVpnPassCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument pptpPassThru results in os command injection. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks.
Remote unauthenticated attackers can supply crafted input to the pptpPassThru parameter and achieve arbitrary operating system command execution on the device, resulting in full compromise of confidentiality, integrity, and availability according to the CVSS 8.9 rating. The vulnerability is tracked under CWE-77 and CWE-78.
No vendor advisory or patch information is provided in the references, which consist primarily of public exploit details hosted on GitHub and Vuldb. The associated EPSS score remains low with only a negligible peak of 0.0125.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-25713
Vulnerability details
A security flaw has been discovered in Totolink A8000RU 7.1cu.643_b20200521. This issue affects the function setVpnPassCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument pptpPassThru results in os command injection. The attack can be…
more
executed remotely. The exploit has been released to the public and may be used for attacks.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables unauthenticated remote exploitation of a public-facing web application (router CGI interface) for arbitrary OS command execution, directly mapping to T1190 (Exploit Public-Facing Application) and T1059.004 (Unix Shell) as it involves command injection on the underlying OS.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of untrusted inputs such as pptpPassThru to block OS command injection via the CGI handler.
Enforces authentication and authorization checks before any access to setVpnPassCfg, blocking the unauthenticated remote attack path.
Restricts network boundaries and external interfaces so that the vulnerable /cgi-bin/cstecgi.cgi endpoint is not reachable from remote attackers.