CVE-2026-7244
Published: 28 April 2026
Summary
CVE-2026-7244 is a critical-severity Command Injection (CWE-77) vulnerability in Totolink A8000RU (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 20.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 directly prevents OS command injection by requiring validation of untrusted inputs such as the 'merge' argument in the vulnerable setWiFiEasyGuestCfg CGI function.
SI-2 mandates timely flaw remediation through firmware patching to eliminate the specific command injection vulnerability in the Totolink A8000RU router.
AC-3 enforces approved authorizations to block unauthenticated remote access to the vulnerable /cgi-bin/cstecgi.cgi endpoint.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote OS command injection via public-facing web CGI on router directly enables T1190 (Exploit Public-Facing Application) for initial access and T1059.008 (Network Device CLI) for arbitrary command execution.
NVD Description
A security flaw has been discovered in Totolink A8000RU 7.1cu.643_b20200521. The impacted element is the function setWiFiEasyGuestCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument merge results in os command injection. It is possible…
more
to launch the attack remotely. The exploit has been released to the public and may be used for attacks.
Deeper analysisAI
CVE-2026-7244 is an OS command injection vulnerability affecting the Totolink A8000RU router on firmware version 7.1cu.643_b20200521. The issue lies in the setWiFiEasyGuestCfg function of the /cgi-bin/cstecgi.cgi file within the CGI Handler component, where manipulation of the "merge" argument enables injection of arbitrary operating system commands.
The vulnerability is remotely exploitable over the network with low complexity, requiring no privileges or user interaction, as reflected in its CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Any unauthenticated remote attacker can execute arbitrary commands on the device, achieving high impacts on confidentiality, integrity, and availability, potentially leading to full router compromise.
VulDB advisories document the flaw, including a public exploit release on GitHub at https://github.com/Litengzheng/vuldb_new2/blob/main/A8000RU/vul_328/README.md, with additional details at https://vuldb.com/vuln/359851 and related pages. Security practitioners should monitor the vendor site https://www.totolink.net/ for firmware updates or mitigation guidance.
The exploit's public availability increases the risk of real-world attacks against unpatched Totolink A8000RU devices.
Details
- CWE(s)