CVE-2026-7242
Published: 28 April 2026
Summary
CVE-2026-7242 is a high-severity Command Injection (CWE-77) vulnerability in Totolink A8000RU (inferred from references). Its CVSS base score is 8.9 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 17.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
A vulnerability exists in the Totolink A8000RU router running firmware 7.1cu.643_b20200521. It resides in the setOpenVpnClientCfg function within the /cgi-bin/cstecgi.cgi file of the CGI Handler component. Unauthenticated manipulation of the enabled argument permits OS command injection, as indicated by the associated CWE-77 and CWE-78 classifications and an 8.9 CVSS 4.0 score reflecting network attackability without privileges or user interaction.
Remote attackers can exploit the flaw directly over the network to execute arbitrary operating-system commands on the device. Successful exploitation grants control over confidentiality, integrity, and availability of the affected router, with a publicly disclosed proof-of-concept available for reuse.
The listed references consist of a GitHub disclosure repository, multiple Vuldb entries, and the vendor homepage, but contain no details on patches, firmware updates, or other mitigations. The EPSS score has remained low and stable, with a current value of 0.0122 and a peak of 0.0125.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-26015
Vulnerability details
A vulnerability was determined in Totolink A8000RU 7.1cu.643_b20200521. Impacted is the function setOpenVpnClientCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Executing a manipulation of the argument enabled can lead to os command injection. The attack may be performed…
more
from remote. The exploit has been publicly disclosed and may be utilized.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables unauthenticated remote exploitation of a public-facing router web application (T1190), directly providing arbitrary OS command execution on a likely Unix/Linux-based router firmware (T1059.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of the 'enabled' argument in setOpenVpnClientCfg before it reaches the OS command interpreter, blocking the CWE-78 injection vector.
Enforces access-control decisions on the unauthenticated CGI endpoint, denying execution of setOpenVpnClientCfg without proper identification and authorization.
Restricts network traffic to the /cgi-bin/cstecgi.cgi interface, limiting remote unauthenticated reachability of the vulnerable function from external attackers.