Cyber Resilience

CVE-2026-7155

HighRCE

Published: 27 April 2026

Published
27 April 2026
Modified
28 April 2026
KEV Added
Patch
CVSS Score v4 8.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0177 75.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-7155 is a high-severity Command Injection (CWE-77) vulnerability in Totolink A8000RU (inferred from references). Its CVSS base score is 8.9 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 24.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

A security vulnerability has been detected in Totolink A8000RU version 7.1cu.643_b20200521. The issue resides in the setLoginPasswordCfg function within the /cgi-bin/cstecgi.cgi file of the CGI Handler component. Manipulation of the admpass argument allows OS command injection, classified under CWE-77 and CWE-78, with a CVSS 4.0 score of 8.9 reflecting network-accessible, low-complexity attack conditions that can fully compromise confidentiality, integrity, and availability.

Remote unauthenticated attackers can initiate the attack over the network to execute arbitrary operating system commands on the affected device. Publicly disclosed exploit details indicate that successful exploitation grants an attacker full control over the router without requiring user interaction or credentials.

The EPSS score remains low and stable at approximately 0.0122–0.0125. References include a detailed disclosure on GitHub along with entries on Vuldb and the vendor site, though no specific mitigation guidance or patch information is provided in the available data.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A security vulnerability has been detected in Totolink A8000RU 7.1cu.643_b20200521. This impacts the function setLoginPasswordCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument admpass leads to os command injection. The attack may be initiated…

more

remotely. The exploit has been disclosed publicly and may be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

The vulnerability is a remotely exploitable OS command injection in a public-facing web CGI interface on a router (T1190: Exploit Public-Facing Application), enabling arbitrary Unix shell command execution (T1059.004: Unix Shell).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-7204Shared CWE-77, CWE-78
CVE-2026-2152Shared CWE-77, CWE-78
CVE-2026-5677Shared CWE-77, CWE-78
CVE-2026-2157Shared CWE-77, CWE-78
CVE-2026-7136Shared CWE-77, CWE-78
CVE-2026-7121Shared CWE-77, CWE-78
CVE-2026-9387Shared CWE-77, CWE-78
CVE-2026-9477Shared CWE-77, CWE-78
CVE-2026-2063Shared CWE-77, CWE-78
CVE-2026-2847Shared CWE-77, CWE-78

Affected Assets

Totolink
A8000RU
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of the admpass argument in setLoginPasswordCfg to block OS command injection (CWE-77/78).

prevent

Enforces authentication and authorization on /cgi-bin/cstecgi.cgi before any password-configuration or command-execution actions, eliminating the unauthenticated remote attack path.

prevent

Boundary-protection mechanisms (e.g., ACLs, WAF rules) can restrict or inspect traffic to the router's CGI interface, limiting remote exploitation of the injection flaw.

References