CVE-2026-7823
Published: 05 May 2026
Summary
CVE-2026-7823 is a high-severity Command Injection (CWE-77) vulnerability in Totolink A8000RU (inferred from references). Its CVSS base score is 8.9 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 24.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
A security flaw has been discovered in Totolink A8000RU firmware version 7.1cu.643_b20200521. The issue resides in the setAppFilterCfg function within /cgi-bin/cstecgi.cgi, where unsanitized input to the enable argument permits operating system command injection. The vulnerability is tracked as CVE-2026-7823 and carries a CVSS 4.0 score of 8.9, reflecting network-accessible attack vectors with high impact on confidentiality, integrity, and availability.
An unauthenticated remote attacker can supply a crafted HTTP request to the CGI endpoint and execute arbitrary commands on the device. Public exploit code has already been published, enabling straightforward weaponization for full device compromise without requiring credentials or user interaction.
The EPSS score remains low, with a current value of 0.0122 and a peak of only 0.0125, indicating limited observed exploitation interest to date. The vendor site and public disclosure repositories provide no details on patches or configuration workarounds.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-27221
Vulnerability details
A security flaw has been discovered in Totolink A8000RU 7.1cu.643_b20200521. Affected is the function setAppFilterCfg of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument enable results in os command injection. The attack may be launched remotely. The exploit has been…
more
released to the public and may be used for attacks.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection in public router web CGI directly enables remote exploitation of a public-facing application (T1190) resulting in arbitrary Unix shell command execution (T1059.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of the 'enable' argument in setAppFilterCfg to block OS command injection via the unauthenticated CGI request.
Enforces access control checks before allowing execution of the vulnerable CGI function, preventing unauthenticated remote attackers from reaching the injection point.
Requires identification and authentication of users before permitting access to the /cgi-bin/cstecgi.cgi endpoint, eliminating the unauthenticated attack vector described in the CVE.