CVE-2026-7204
Published: 28 April 2026
Summary
CVE-2026-7204 is a critical-severity Command Injection (CWE-77) vulnerability in Totolink A8000RU (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 20.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 IA-8 (Identification and Authentication (Non-organizational Users)) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents OS command injection by enforcing input validation on the untrusted 'enable' argument in the vulnerable CGI handler.
Requires identification and authentication for non-organizational users, blocking unauthenticated remote exploitation of the setPptpServerCfg function.
Mandates timely identification, reporting, and correction of flaws like this command injection vulnerability via firmware updates.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2026-7204 is an unauthenticated OS command injection in a public-facing router web CGI interface, directly enabling T1190 (Exploit Public-Facing Application) for remote exploitation and T1059.004 (Unix Shell) via injected commands on the likely Linux-based router OS.
NVD Description
A vulnerability was determined in Totolink A8000RU 7.1cu.643_b20200521. This issue affects the function setPptpServerCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. This manipulation of the argument enable causes os command injection. The attack may be initiated remotely. The…
more
exploit has been publicly disclosed and may be utilized.
Deeper analysisAI
CVE-2026-7204 is an OS command injection vulnerability affecting the Totolink A8000RU router on firmware version 7.1cu.643_b20200521. The flaw exists in the setPptpServerCfg function of the /cgi-bin/cstecgi.cgi file within the CGI Handler component, where manipulation of the "enable" argument triggers command injection (CWE-77, CWE-78).
The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity. Unauthenticated remote attackers can exploit it over the network with low complexity and no user interaction, achieving high impacts on confidentiality, integrity, and availability, such as full device compromise.
Advisories are available via VulDB entries (https://vuldb.com/vuln/359804, https://vuldb.com/submit/801530) and the vendor site (https://www.totolink.net/). An exploit has been publicly disclosed on GitHub (https://github.com/Litengzheng/vuldb_new2/blob/main/A8000RU/vul_323/README.md), enabling ready utilization by threat actors.
Details
- CWE(s)