CVE-2026-7121
Published: 27 April 2026
Summary
CVE-2026-7121 is a high-severity Command Injection (CWE-77) vulnerability in Totolink A8000RU (inferred from references). Its CVSS base score is 8.9 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 22.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and CM-7 (Least Functionality).
Deeper analysis
A flaw has been identified in the Totolink A8000RU router running firmware version 7.1cu.643_b20200521. The issue resides in the setWizardCfg function within the /cgi-bin/cstecgi.cgi file of the CGI Handler component, where improper handling of the wizard argument enables operating system command injection. The vulnerability is tracked as CVE-2026-7121 and carries a CVSS 4.0 score of 8.9, reflecting high impact on confidentiality, integrity, and availability.
An unauthenticated attacker can exploit the flaw remotely by sending a crafted request to the affected CGI endpoint, allowing arbitrary command execution on the device. Public proof-of-concept code has already been released, increasing the likelihood that the issue can be leveraged in real attacks against exposed routers.
The provided references include a detailed exploit description on GitHub and entries on Vuldb, along with a link to the vendor site, but contain no explicit statements on patches or mitigation steps. The associated EPSS score remains low, moving only from 0.0122 to a peak of 0.0125.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-25835
Vulnerability details
A flaw has been found in Totolink A8000RU 7.1cu.643_b20200521. This affects the function setWizardCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. This manipulation of the argument wizard causes os command injection. It is possible to initiate the attack…
more
remotely. The exploit has been published and may be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables unauthenticated remote exploitation of a public-facing web application (router CGI) for arbitrary OS command injection on a likely Unix-based system.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of the wizard argument passed to setWizardCfg, blocking the OS command injection vector at the CGI endpoint.
Enforces boundary protection to restrict or block unauthenticated remote access to /cgi-bin/cstecgi.cgi on exposed routers.
Requires disabling or restricting non-essential CGI functions and services so the vulnerable setWizardCfg handler is not reachable.