CVE-2026-7242

Name of the Vulnerable Software and Affected Versions Totolink A8000RU version 7.1cu.643 b20200521

Description An OS command injection flaw exists in the CGI Handler component. The issue occurs because the setOpenVpnClientCfg() function in the '/cgi-bin/cstecgi.cgi' endpoint fails to adequately sanitize input from the enabled argument. This allows a remote, unauthenticated attacker to execute arbitrary operating system commands by sending a specially crafted HTTP request.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, consider restricting access to the '/cgi-bin/cstecgi.cgi' endpoint or disabling the setOpenVpnClientCfg() function to minimize the risk of exploitation.