Totolink A7000R
0 remedies
cpe:2.3:h:totolink:a7000r:*:*:*:*:*:*:*, +1 more
0 remedies
- 4.1cu.4154
Totolink A7000R Command Injection Vulnerability Allowing Remote Code Execution
Vulnerability
A command injection vulnerability has been identified in the Totolink A7000R router running firmware version 4.1cu.4154. The issue arises in the 'CloudACMunualUpdateUserdata' function within the '/cgi-bin/cstecgi.cgi' file. This vulnerability allows for unauthorized command execution by manipulating the 'url' parameter. The exploitation can be performed remotely, and a public exploit is available.
Impact
Exploitation of this vulnerability allows for unauthorized command execution on the affected device, with the potential for executing arbitrary commands with the privileges of the web server.
Reproduction
To reproduce this vulnerability, send an HTTP POST request to '/cgi-bin/cstecgi.cgi' with the 'topicurl' parameter set to 'setting/CloudACMunualUpdateUserdata' and the 'url' parameter containing the command to be executed. This request can be made using a tool like curl or Postman, or through a custom script that automates the process.
Added: Jan 28, 2026, 11:26 PM
Updated: Jan 28, 2026, 11:26 PM
Vulnerability Rating
Custom Algorithm
spread
1.4impact
7.5exploitability
9.1remediation
0.0relevance
2.3threat
6.4urgency
2.9incentive
8.3Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.