Totolink A8000RU Command Injection Vulnerability (CVE-2026-7244)

A critical security vulnerability, identified as CVE-2026-7244, has been discovered in Totolink A8000RU router firmware version 7.1cu.643_b20200521. This flaw resides within the CGI handler, specifically in the setWiFiEasyGuestCfg function located in the /cgi-bin/cstecgi.cgi file. By manipulating the merge argument, a remote attacker can inject and execute arbitrary operating system commands on the affected device. The vulnerability is remotely exploitable and a proof-of-concept exploit has been publicly released, increasing the risk of widespread exploitation. This poses a significant threat as it allows for complete control over the device, potentially leading to data breaches, network compromise, and botnet recruitment.

Attack Chain

1. The attacker sends a malicious HTTP request to the /cgi-bin/cstecgi.cgi endpoint on the Totolink A8000RU router.
2. The request targets the setWiFiEasyGuestCfg function.
3. The attacker crafts the request to include a payload in the merge argument designed to inject an OS command.
4. The cstecgi.cgi script processes the request and passes the merge argument to a system call without proper sanitization.
5. The injected OS command is executed with the privileges of the web server.
6. The attacker gains arbitrary code execution on the router’s operating system.
7. The attacker can then install malware, change router settings, or use the router as a pivot point to attack other devices on the network.

Impact

Successful exploitation of CVE-2026-7244 grants an attacker complete control over the vulnerable Totolink A8000RU router. This can lead to a variety of malicious activities, including data exfiltration, denial-of-service attacks, and the installation of persistent backdoors. Given the availability of a public exploit, a large number of devices could be compromised quickly. This could result in widespread botnet infections, impacting home users and small businesses relying on these routers for network connectivity.

Recommendation

• Monitor web server logs for requests to /cgi-bin/cstecgi.cgi with suspicious parameters in the query string, especially related to the merge argument to detect exploitation attempts (see rule: “Detect Totolink A8000RU Command Injection Attempt”).
• Implement network intrusion detection system (NIDS) rules to identify malicious payloads being sent to the affected endpoint (see rule: “Detect Totolink A8000RU Command Injection - Network”).
• Apply the Sigma rule “Detect Totolink A8000RU Command Injection in Logs” to your SIEM to identify successful command injection attempts based on web server logs.
• Monitor for unusual process execution originating from the web server process, indicating potential exploitation.
• Unfortunately, a patch is not available so consider migrating to a more secure router.