CVE-2026-7243
Published: 28 April 2026
Summary
CVE-2026-7243 is a critical-severity Command Injection (CWE-77) vulnerability in Totolink A8000RU (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 20.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents OS command injection by validating and sanitizing the maxRtrAdvInterval input to the vulnerable setRadvdCfg CGI function.
Remediates the command injection flaw in the Totolink A8000RU firmware by applying vendor patches or updates promptly after vulnerability identification.
Blocks unauthenticated remote access to the exposed /cgi-bin/cstecgi.cgi endpoint, mitigating exploitation of the no-privilege-required vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a remote unauthenticated OS command injection in a public-facing web CGI interface on a router (network device), directly enabling exploitation of public-facing applications (T1190) and command execution on network device CLI/shell (T1059.008).
NVD Description
A vulnerability was identified in Totolink A8000RU 7.1cu.643_b20200521. The affected element is the function setRadvdCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument maxRtrAdvInterval leads to os command injection. It is possible to initiate…
more
the attack remotely. The exploit is publicly available and might be used.
Deeper analysisAI
CVE-2026-7243 is an OS command injection vulnerability in the Totolink A8000RU router running firmware version 7.1cu.643_b20200521. The issue resides in the setRadvdCfg function within the /cgi-bin/cstecgi.cgi file of the CGI Handler component. By manipulating the maxRtrAdvInterval argument, an attacker can inject arbitrary operating system commands. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-77 (Command Injection) and CWE-78 (OS Command Injection).
The vulnerability enables remote exploitation without authentication, user interaction, or special privileges, allowing unauthenticated attackers anywhere on the network to target exposed router instances. Successful exploitation grants high-impact access to confidentiality, integrity, and availability, potentially enabling full remote code execution, data theft, device takeover, or denial of service.
Advisories from VulDB detail the vulnerability (vuln/359850) and related CTI, with a submission entry (submit/803266), while a GitHub repository (Litengzheng/vuldb_new2) provides a publicly available exploit in its README.md for the A8000RU. The vendor's site (totolink.net) is referenced but offers no specific patch details in the provided sources. Security practitioners should isolate affected devices and monitor for exploit attempts given the public PoC.
Details
- CWE(s)