Cyber Resilience

CVE-2026-7121

HighRCE

Published: 27 April 2026

Published
27 April 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score v4 8.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0195 77.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-7121 is a high-severity Command Injection (CWE-77) vulnerability in Totolink A8000RU (inferred from references). Its CVSS base score is 8.9 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 22.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and CM-7 (Least Functionality).

Deeper analysis

A flaw has been identified in the Totolink A8000RU router running firmware version 7.1cu.643_b20200521. The issue resides in the setWizardCfg function within the /cgi-bin/cstecgi.cgi file of the CGI Handler component, where improper handling of the wizard argument enables operating system command injection. The vulnerability is tracked as CVE-2026-7121 and carries a CVSS 4.0 score of 8.9, reflecting high impact on confidentiality, integrity, and availability.

An unauthenticated attacker can exploit the flaw remotely by sending a crafted request to the affected CGI endpoint, allowing arbitrary command execution on the device. Public proof-of-concept code has already been released, increasing the likelihood that the issue can be leveraged in real attacks against exposed routers.

The provided references include a detailed exploit description on GitHub and entries on Vuldb, along with a link to the vendor site, but contain no explicit statements on patches or mitigation steps. The associated EPSS score remains low, moving only from 0.0122 to a peak of 0.0125.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A flaw has been found in Totolink A8000RU 7.1cu.643_b20200521. This affects the function setWizardCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. This manipulation of the argument wizard causes os command injection. It is possible to initiate the attack…

more

remotely. The exploit has been published and may be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

CVE enables unauthenticated remote exploitation of a public-facing web application (router CGI) for arbitrary OS command injection on a likely Unix-based system.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-7204Shared CWE-77, CWE-78
CVE-2026-2152Shared CWE-77, CWE-78
CVE-2026-5677Shared CWE-77, CWE-78
CVE-2026-2157Shared CWE-77, CWE-78
CVE-2026-7136Shared CWE-77, CWE-78
CVE-2026-9387Shared CWE-77, CWE-78
CVE-2026-9477Shared CWE-77, CWE-78
CVE-2026-2063Shared CWE-77, CWE-78
CVE-2026-2847Shared CWE-77, CWE-78
CVE-2026-9458Shared CWE-77, CWE-78

Affected Assets

Totolink
A8000RU
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of the wizard argument passed to setWizardCfg, blocking the OS command injection vector at the CGI endpoint.

prevent

Enforces boundary protection to restrict or block unauthenticated remote access to /cgi-bin/cstecgi.cgi on exposed routers.

prevent

Requires disabling or restricting non-essential CGI functions and services so the vulnerable setWizardCfg handler is not reachable.

References