PT-2026-5232 · Totolink · Totolink A7000R

Xuanyu

Publicado

2026-01-15

Atualizado

2026-02-09

CVE-2026-1547

CVSS v3.1

9.8

Crítica

Vetor

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Totolink A7000R version 4.1cu.4154

Description A flaw exists in the setUnloadUserData function within the /cgi-bin/cstecgi.cgi file of the affected product. Manipulation of the plugin name argument can lead to command injection. This allows for remote attacks. The exploit is publicly available.

Recommendations Apply a software update that addresses the vulnerability in the setUnloadUserData function. As a temporary workaround, restrict access to the /cgi-bin/cstecgi.cgi file. Avoid using the plugin name parameter in the affected file until the issue is resolved.

Exploit

Correção

Command Injection

Special Elements Injection

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-77CWE-74

Identificadores relacionados

BDU:2026-00935

CVE-2026-1547

Produtos afetados

Totolink A7000R

PT-2026-5232 · Totolink · Totolink A7000R

CVE-2026-1547

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 13