CVE-2026-7123
Published: 27 April 2026
Summary
CVE-2026-7123 is a critical-severity Command Injection (CWE-77) vulnerability in Totolink A8000RU (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 20.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 IA-8 (Identification and Authentication (Non-organizational Users)) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents OS command injection by validating and sanitizing the setIptvCfg argument in the vulnerable CGI handler.
Remediates the specific flaw in the setIptvCfg function of /cgi-bin/cstecgi.cgi through timely patching of the Totolink firmware.
Requires identification and authentication for non-organizational remote users, blocking unauthenticated exploitation of the vulnerable endpoint.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an unauthenticated OS command injection in a public-facing router CGI interface, directly enabling initial access via public-facing application exploitation (T1190) and command execution on a network device CLI/web interface (T1059.008).
NVD Description
A vulnerability was found in Totolink A8000RU 7.1cu.643_b20200521. Affected is the function setIptvCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Performing a manipulation of the argument setIptvCfg results in os command injection. The attack can be initiated remotely.…
more
The exploit has been made public and could be used.
Deeper analysisAI
CVE-2026-7123 is an OS command injection vulnerability (CWE-77, CWE-78) affecting the Totolink A8000RU router on firmware version 7.1cu.643_b20200521. The issue lies in the setIptvCfg function of the /cgi-bin/cstecgi.cgi file within the CGI Handler component. Manipulation of the setIptvCfg argument enables arbitrary OS command execution.
The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical. Unauthenticated remote attackers can exploit it with low complexity and no user interaction, potentially gaining high-impact control over confidentiality, integrity, and availability of the affected device, such as executing arbitrary commands for full compromise.
References include a GitHub repository with a public exploit at https://github.com/Litengzheng/vuldb_new2/blob/main/A8000RU/vul_308/README.md, VulDB entries at https://vuldb.com/vuln/359722 and https://vuldb.com/submit/800995, and the vendor site at https://www.totolink.net/. No specific mitigation or patch details are provided in the CVE description.
The exploit has been made public and could be used, as stated in the advisory.
Details
- CWE(s)