CVE-2026-7538
Published: 01 May 2026
Summary
CVE-2026-7538 is a high-severity Command Injection (CWE-77) vulnerability in Totolink A8000RU (inferred from references). Its CVSS base score is 8.9 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 23.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
A vulnerability identified as CVE-2026-7538 affects the Totolink A8000RU router running firmware version 7.1cu.643_b20200521. It resides in the CGI Handler component, specifically the function handling requests to /cgi-bin/cstecgi.cgi, where improper handling of the proto argument enables operating system command injection. The issue is tracked under CWE-77 and CWE-78 and carries a CVSS 4.0 score of 8.9, reflecting network-accessible attack vectors that require no authentication or user interaction.
Remote, unauthenticated attackers can supply crafted input to the proto parameter and execute arbitrary operating system commands on the device. Successful exploitation grants full control over the affected router, including the ability to read, modify, or delete data and potentially pivot within the local network. A publicly available exploit has been noted for this flaw.
The provided references, including a detailed disclosure on GitHub and entries on Vuldb, do not describe vendor patches, firmware updates, or other mitigations. The EPSS score remains low, with a current value of 0.0122 and a peak of 0.0125, indicating limited observed exploitation interest to date.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-26470
Vulnerability details
A vulnerability was identified in Totolink A8000RU 7.1cu.643_b20200521. This issue affects the function Vulnerability of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument proto leads to os command injection. The attack may be initiated remotely.…
more
The exploit is publicly available and might be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2026-7538 is a command injection vulnerability in a public-facing CGI handler on a router web interface, directly enabling exploitation of public-facing applications (T1190) and arbitrary OS command execution equivalent to abusing network device CLI (T1059.008).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of the proto argument in /cgi-bin/cstecgi.cgi to block OS command injection payloads.
Enforces access-control decisions on the CGI handler so that unauthenticated remote requests cannot reach the vulnerable function.
Restricts network-level access to the router's management CGI endpoints, reducing the remote attack surface exploited by the public proof-of-concept.