CVE-2026-7140
Published: 27 April 2026
Summary
CVE-2026-7140 is a high-severity Command Injection (CWE-77) vulnerability in Totolink A8000RU (inferred from references). Its CVSS base score is 8.9 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 24.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
A vulnerability has been identified in the Totolink A8000RU router running firmware version 7.1cu.643_b20200521. The issue resides in the CsteSystem function of the /cgi-bin/cstecgi.cgi file within the CGI Handler component, where improper handling of the HTTP argument enables OS command injection. The flaw is tracked under CWE-77 and CWE-78 and carries a CVSS 4.0 score of 8.9.
The vulnerability can be exploited remotely by unauthenticated attackers who supply crafted input to the affected CGI endpoint. Successful exploitation grants the ability to execute arbitrary operating system commands on the device, which may lead to full compromise of the router's confidentiality, integrity, and availability.
Public exploit details have been disclosed via repositories and vulnerability databases, though the associated EPSS score remains low at approximately 0.0122 with negligible movement from its recorded peak. No vendor advisories or patches are referenced in the available sources.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-25879
Vulnerability details
A vulnerability has been found in Totolink A8000RU 7.1cu.643_b20200521. Impacted is the function CsteSystem of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Such manipulation of the argument HTTP leads to os command injection. The attack may be performed from…
more
remote. The exploit has been disclosed to the public and may be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables remote exploitation of public-facing web application (T1190) leading to arbitrary OS command injection, facilitating Network Device CLI abuse (T1059.008).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Validates the HTTP argument supplied to /cgi-bin/cstecgi.cgi:CsteSystem so that crafted OS-command payloads are rejected before execution.
Enforces access-control policy on the CGI endpoint, denying unauthenticated remote subjects the ability to invoke the vulnerable function.
Requires successful identification and authentication before any remote subject is allowed to reach the unauthenticated CGI handler.