CVE-2026-7153
Published: 27 April 2026
Summary
CVE-2026-7153 is a critical-severity Command Injection (CWE-77) vulnerability in Totolink A8000RU (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 20.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents OS command injection by requiring validation of the sys_info argument in the vulnerable setMiniuiHomeInfoShow CGI function.
Requires timely remediation of the specific flaw in the Totolink A8000RU firmware's CGI handler to eliminate the command injection vulnerability.
Facilitates identification of the CVE-2026-7153 vulnerability via scanning unpatched Totolink A8000RU devices and triggers remediation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a remote, unauthenticated OS command injection in a public-facing CGI interface on a router, directly enabling exploitation of public-facing applications (T1190) and execution of commands via network device CLI (T1059.008).
NVD Description
A security flaw has been discovered in Totolink A8000RU 7.1cu.643_b20200521. The impacted element is the function setMiniuiHomeInfoShow of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Performing a manipulation of the argument sys_info results in os command injection. The attack…
more
can be initiated remotely. The exploit has been released to the public and may be used for attacks.
Deeper analysisAI
CVE-2026-7153 is an OS command injection vulnerability affecting the Totolink A8000RU router on firmware version 7.1cu.643_b20200521. The flaw exists in the setMiniuiHomeInfoShow function within the /cgi-bin/cstecgi.cgi file of the CGI Handler component, where manipulation of the sys_info argument enables command injection. It is classified under CWE-77 (Command Injection) and CWE-78 (OS Command Injection), with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical.
The vulnerability is exploitable remotely by unauthenticated attackers with no user interaction required. Successful exploitation allows arbitrary OS command execution on the device, potentially leading to full compromise including data theft, modification of configurations, or disruption of router functionality.
Advisories referenced in VulDB entries (vuln/359752 and related pages) document the issue and its CTI implications, while a GitHub repository provides a public proof-of-concept exploit in a README file specific to this vulnerability. The vendor's site at totolink.net is listed, though no patch details are specified in the provided references.
An exploit has been publicly released, heightening the risk of real-world attacks against unpatched Totolink A8000RU devices.
Details
- CWE(s)