CVE-2026-7124
Published: 27 April 2026
Summary
CVE-2026-7124 is a critical-severity Command Injection (CWE-77) vulnerability in Totolink A8000RU (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 20.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly implements input validation mechanisms on CGI parameters like addrPrefixLen to block OS command injection exploits.
Requires identification, reporting, and correction of flaws such as the command injection vulnerability in setIpv6LanCfg function.
Restricts CGI input parameters like addrPrefixLen to authorized types and formats, preventing malicious command injection payloads.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an unauthenticated OS command injection in a public-facing CGI endpoint on a router, directly enabling exploitation of public-facing applications (T1190) and execution of arbitrary commands via network device CLI abuse (T1059.008).
NVD Description
A vulnerability was determined in Totolink A8000RU 7.1cu.643_b20200521. Affected by this vulnerability is the function setIpv6LanCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Executing a manipulation of the argument addrPrefixLen can lead to os command injection. The attack…
more
can be launched remotely. The exploit has been publicly disclosed and may be utilized.
Deeper analysisAI
CVE-2026-7124 is an OS command injection vulnerability in the Totolink A8000RU router running firmware version 7.1cu.643_b20200521. The flaw affects the setIpv6LanCfg function within the /cgi-bin/cstecgi.cgi CGI handler component, where manipulation of the addrPrefixLen argument triggers command injection. It is classified under CWE-77 (Command Injection) and CWE-78 (OS Command Injection), with a CVSS v3.1 base score of 9.8.
The vulnerability enables remote exploitation without authentication or user interaction (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Attackers can send crafted requests to the exposed CGI endpoint, injecting arbitrary OS commands to achieve high-impact compromise, including data exfiltration, modification, or denial of service on the affected router.
Advisories and references, including those from VulDB and the Totolink vendor site, provide details on the issue, while a proof-of-concept exploit is publicly available on GitHub. The exploit has been disclosed and may be utilized in attacks.
Details
- CWE(s)