CVE-2026-7155
Published: 27 April 2026
Summary
CVE-2026-7155 is a high-severity Command Injection (CWE-77) vulnerability in Totolink A8000RU (inferred from references). Its CVSS base score is 8.9 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 24.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
A security vulnerability has been detected in Totolink A8000RU version 7.1cu.643_b20200521. The issue resides in the setLoginPasswordCfg function within the /cgi-bin/cstecgi.cgi file of the CGI Handler component. Manipulation of the admpass argument allows OS command injection, classified under CWE-77 and CWE-78, with a CVSS 4.0 score of 8.9 reflecting network-accessible, low-complexity attack conditions that can fully compromise confidentiality, integrity, and availability.
Remote unauthenticated attackers can initiate the attack over the network to execute arbitrary operating system commands on the affected device. Publicly disclosed exploit details indicate that successful exploitation grants an attacker full control over the router without requiring user interaction or credentials.
The EPSS score remains low and stable at approximately 0.0122–0.0125. References include a detailed disclosure on GitHub along with entries on Vuldb and the vendor site, though no specific mitigation guidance or patch information is provided in the available data.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-25920
Vulnerability details
A security vulnerability has been detected in Totolink A8000RU 7.1cu.643_b20200521. This impacts the function setLoginPasswordCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument admpass leads to os command injection. The attack may be initiated…
more
remotely. The exploit has been disclosed publicly and may be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a remotely exploitable OS command injection in a public-facing web CGI interface on a router (T1190: Exploit Public-Facing Application), enabling arbitrary Unix shell command execution (T1059.004: Unix Shell).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of the admpass argument in setLoginPasswordCfg to block OS command injection (CWE-77/78).
Enforces authentication and authorization on /cgi-bin/cstecgi.cgi before any password-configuration or command-execution actions, eliminating the unauthenticated remote attack path.
Boundary-protection mechanisms (e.g., ACLs, WAF rules) can restrict or inspect traffic to the router's CGI interface, limiting remote exploitation of the injection flaw.