Cyber Resilience

CVE-2026-7538

HighRCE

Published: 01 May 2026

Published
01 May 2026
Modified
01 May 2026
KEV Added
Patch
CVSS Score v4 8.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0182 76.1th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-7538 is a high-severity Command Injection (CWE-77) vulnerability in Totolink A8000RU (inferred from references). Its CVSS base score is 8.9 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 23.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

A vulnerability identified as CVE-2026-7538 affects the Totolink A8000RU router running firmware version 7.1cu.643_b20200521. It resides in the CGI Handler component, specifically the function handling requests to /cgi-bin/cstecgi.cgi, where improper handling of the proto argument enables operating system command injection. The issue is tracked under CWE-77 and CWE-78 and carries a CVSS 4.0 score of 8.9, reflecting network-accessible attack vectors that require no authentication or user interaction.

Remote, unauthenticated attackers can supply crafted input to the proto parameter and execute arbitrary operating system commands on the device. Successful exploitation grants full control over the affected router, including the ability to read, modify, or delete data and potentially pivot within the local network. A publicly available exploit has been noted for this flaw.

The provided references, including a detailed disclosure on GitHub and entries on Vuldb, do not describe vendor patches, firmware updates, or other mitigations. The EPSS score remains low, with a current value of 0.0122 and a peak of 0.0125, indicating limited observed exploitation interest to date.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A vulnerability was identified in Totolink A8000RU 7.1cu.643_b20200521. This issue affects the function Vulnerability of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument proto leads to os command injection. The attack may be initiated remotely.…

more

The exploit is publicly available and might be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.008 Network Device CLI Execution
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
Why these techniques?

CVE-2026-7538 is a command injection vulnerability in a public-facing CGI handler on a router web interface, directly enabling exploitation of public-facing applications (T1190) and arbitrary OS command execution equivalent to abusing network device CLI (T1059.008).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-7123Shared CWE-77, CWE-78
CVE-2026-6114Shared CWE-77, CWE-78
CVE-2026-2082Shared CWE-77, CWE-78
CVE-2026-5997Shared CWE-77, CWE-78
CVE-2025-15254Shared CWE-77, CWE-78
CVE-2025-1819Shared CWE-77, CWE-78
CVE-2026-7243Shared CWE-77, CWE-78
CVE-2026-1506Shared CWE-77, CWE-78
CVE-2026-3696Shared CWE-77, CWE-78
CVE-2026-6154Shared CWE-77, CWE-78

Affected Assets

Totolink
A8000RU
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of the proto argument in /cgi-bin/cstecgi.cgi to block OS command injection payloads.

prevent

Enforces access-control decisions on the CGI handler so that unauthenticated remote requests cannot reach the vulnerable function.

prevent

Restricts network-level access to the router's management CGI endpoints, reducing the remote attack surface exploited by the public proof-of-concept.

References