CVE-2026-7125
Published: 27 April 2026
Summary
CVE-2026-7125 is a high-severity Command Injection (CWE-77) vulnerability in Totolink A8000RU (inferred from references). Its CVSS base score is 8.9 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 24.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
A vulnerability identified as CVE-2026-7125 affects the Totolink A8000RU router running firmware version 7.1cu.643_b20200521. It resides in the setWiFiEasyCfg function within the /cgi-bin/cstecgi.cgi file of the CGI Handler component. The issue stems from improper handling of the merge argument, enabling OS command injection as classified under CWE-77 and CWE-78. The flaw is remotely exploitable without authentication and carries a CVSS 4.0 score of 8.9.
An unauthenticated attacker can send a crafted HTTP request to the CGI endpoint over the network to inject and execute arbitrary operating system commands on the device. Successful exploitation grants full control over the router, including the ability to alter configuration, exfiltrate data, or pivot to connected systems. A publicly available exploit has been disclosed, increasing the practicality of remote attacks.
The EPSS score remains low at 0.0122 with a peak of only 0.0125, indicating limited observed exploitation interest to date. Vendor references point to the Totolink support site and third-party disclosure repositories, though no specific patch or mitigation guidance is detailed in the available records.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-25843
Vulnerability details
A vulnerability was identified in Totolink A8000RU 7.1cu.643_b20200521. Affected by this issue is the function setWiFiEasyCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument merge leads to os command injection. The attack may be…
more
initiated remotely. The exploit is publicly available and might be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote OS command injection via public-facing router web CGI enables exploitation of public-facing application (T1190) and Unix shell command execution (T1059.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of the 'merge' argument in setWiFiEasyCfg to block OS command injection via the CGI endpoint.
Enforces access-control checks on /cgi-bin/cstecgi.cgi so that unauthenticated remote requests cannot reach or execute injected commands.
Restricts network-level access to the router's management CGI from untrusted sources, limiting remote exploitation of the unauthenticated injection flaw.