CVE-2026-7153
Published: 27 April 2026
Summary
CVE-2026-7153 is a high-severity Command Injection (CWE-77) vulnerability in Totolink A8000RU (inferred from references). Its CVSS base score is 8.9 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 24.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).
Deeper analysis
A security flaw has been discovered in Totolink A8000RU 7.1cu.643_b20200521. The impacted element is the function setMiniuiHomeInfoShow of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Performing a manipulation of the argument sys_info results in os command injection. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks.
Remote unauthenticated attackers can trigger the flaw over the network by supplying crafted input to the sys_info parameter, resulting in execution of arbitrary operating system commands with impacts rated high for confidentiality, integrity, and availability under CVSS 8.9. The associated CWEs are CWE-77 and CWE-78.
Public references include a GitHub repository containing vulnerability details, multiple Vuldb entries, and the vendor website, though no specific patch or mitigation guidance is described in the available information. The EPSS score remains low, with a current value of 0.0122 and a peak of 0.0125.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-25915
Vulnerability details
A security flaw has been discovered in Totolink A8000RU 7.1cu.643_b20200521. The impacted element is the function setMiniuiHomeInfoShow of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Performing a manipulation of the argument sys_info results in os command injection. The attack…
more
can be initiated remotely. The exploit has been released to the public and may be used for attacks.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a remote, unauthenticated OS command injection in a public-facing CGI interface on a router, directly enabling exploitation of public-facing applications (T1190) and execution of commands via network device CLI (T1059.008).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of the sys_info argument before it reaches the CGI handler, blocking the OS command injection vector.
Boundary protection can restrict or deny remote unauthenticated access to the /cgi-bin/cstecgi.cgi endpoint, reducing exposure of the vulnerable function.
Least-privilege execution of the CGI process limits the scope of arbitrary OS commands that can be successfully run after injection succeeds.