CVE-2026-7122

Name of the Vulnerable Software and Affected Versions Totolink A8000RU version 7.1cu.643 b20200521

Description An OS command injection issue exists in the CGI Handler component. Remote attackers can exploit this by manipulating the enable argument within the setUPnPCfg() function of the '/cgi-bin/cstecgi.cgi' endpoint.

Recommendations As a temporary workaround, consider restricting access to the '/cgi-bin/cstecgi.cgi' endpoint or disabling the setUPnPCfg() function until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.