{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-7137", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-26T19:30:05.369Z", "datePublished": "2026-04-27T15:45:11.952Z", "dateUpdated": "2026-04-27T17:57:52.595Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-27T15:45:11.952Z"}, "title": "Totolink A8000RU CGI cstecgi.cgi setStorageCfg os command injection", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-78", "lang": "en", "description": "OS Command Injection"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-77", "lang": "en", "description": "Command Injection"}]}], "affected": [{"vendor": "Totolink", "product": "A8000RU", "versions": [{"version": "7.1cu.643_b20200521", "status": "affected"}], "cpes": ["cpe:2.3:o:totolink:a8000ru_firmware:*:*:*:*:*:*:*:*"], "modules": ["CGI Handler"]}], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in Totolink A8000RU 7.1cu.643_b20200521. This affects the function setStorageCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument sambaEnabled leads to os command injection. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 9.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P", "baseSeverity": "CRITICAL"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R", "baseSeverity": "CRITICAL"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R", "baseSeverity": "CRITICAL"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 10, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-04-26T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-26T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-26T21:35:23.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "LtzHuster2 (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/vuln/359736", "name": "VDB-359736 | Totolink A8000RU CGI cstecgi.cgi setStorageCfg os command injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/359736/cti", "name": "VDB-359736 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/801008", "name": "Submit #801008 | Totolink A8000RU 7.1cu.643_b20200521 Command Injection", "tags": ["third-party-advisory"]}, {"url": "https://github.com/Litengzheng/vuldb_new2/blob/main/A8000RU/vul_312/README.md", "tags": ["exploit"]}, {"url": "https://www.totolink.net/", "tags": ["product"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-27T17:57:23.538557Z", "id": "CVE-2026-7137", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T17:57:52.595Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-7137", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-27T17:57:23.538557Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T17:57:43.096Z"}}], "cna": {"title": "Totolink A8000RU CGI cstecgi.cgi setStorageCfg os command injection", "credits": [{"lang": "en", "type": "reporter", "value": "LtzHuster2 (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 9.3, "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 9.8, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 9.8, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 10, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C/E:POC/RL:ND/RC:UR"}}], "affected": [{"cpes": ["cpe:2.3:o:totolink:a8000ru_firmware:*:*:*:*:*:*:*:*"], "vendor": "Totolink", "modules": ["CGI Handler"], "product": "A8000RU", "versions": [{"status": "affected", "version": "7.1cu.643_b20200521"}]}], "timeline": [{"lang": "en", "time": "2026-04-26T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-04-26T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-04-26T21:35:23.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/vuln/359736", "name": "VDB-359736 | Totolink A8000RU CGI cstecgi.cgi setStorageCfg os command injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/359736/cti", "name": "VDB-359736 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/801008", "name": "Submit #801008 | Totolink A8000RU 7.1cu.643_b20200521 Command Injection", "tags": ["third-party-advisory"]}, {"url": "https://github.com/Litengzheng/vuldb_new2/blob/main/A8000RU/vul_312/README.md", "tags": ["exploit"]}, {"url": "https://www.totolink.net/", "tags": ["product"]}], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in Totolink A8000RU 7.1cu.643_b20200521. This affects the function setStorageCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument sambaEnabled leads to os command injection. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "OS Command Injection"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-77", "description": "Command Injection"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-27T15:45:11.952Z"}}}, "cveMetadata": {"cveId": "CVE-2026-7137", "state": "PUBLISHED", "dateUpdated": "2026-04-27T17:57:52.595Z", "dateReserved": "2026-04-26T19:30:05.369Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-04-27T15:45:11.952Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in Totolink A8000RU 7.1cu.643_b20200521. This affects the function setStorageCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument sambaEnabled leads to os command injection. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used."}], "id": "CVE-2026-7137", "lastModified": "2026-04-27T18:35:53.583", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 10.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.9, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-27T16:16:47.110", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/Litengzheng/vuldb_new2/blob/main/A8000RU/vul_312/README.md"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/801008"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/359736"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/359736/cti"}, {"source": "cna@vuldb.com", "url": "https://www.totolink.net/"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-77"}, {"lang": "en", "value": "CWE-78"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "7.1cu.643_b20200521"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "A8000RU", "source": "cna", "vendor": "Totolink"}, "product": "a8000ru", "vendor": "totolink"}], "analysis": {"en": {"generated_at": "2026-04-28T04:17:53.825592+00:00", "value": {"mitigation_remediation": ["Update the router firmware to the latest release provided by Totolink that addresses the command\u2011injection issue.", "If an update is unavailable, restrict external access to the /cgi-bin/cstecgi.cgi endpoint by applying firewall rules or network segmentation so only trusted local hosts can reach it.", "Disable the Samba service or the sambaEnabled feature through router configuration or through firewall rules to eliminate the injection vector when immediate remediation is not possible."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The affected product is the Totolink A8000RU router running firmware version 7.1cu.643_b20200521. No other vendors or product variants are listed as impacted.", "description_and_impact": "The vulnerability is an OS command injection flaw in the setStorageCfg function of the /cgi-bin/cstecgi.cgi CGI handler on Totolink A8000RU routers. By manipulating the sambaEnabled argument, an attacker can inject arbitrary shell commands that the device executes with elevated privileges. This allows full control over the router\u2019s operating system, compromising confidentiality, integrity, and availability.", "risk_and_exploitability": "The CVSS score of 9.3 classifies this flaw as Critical, and its remote nature enables exploitation over the network. The EPSS score is not available, and the vulnerability is not presently listed in CISA\u2019s KEV catalog. An attacker can reach the vulnerable CGI endpoint by sending HTTP requests from an external host or by exploiting local network access, provided the router\u2019s administration interface is exposed. Once exploited, the attacker can execute commands on the router\u2019s operating system."}}}}, "created": "2026-04-28T02:30:18.597586+00:00", "updated": "2026-04-28T04:30:21.141009+00:00", "vendors": ["totolink", "totolink$PRODUCT$a8000ru"]}