Primary

Context

Totolink A7000R Command Injection Vulnerability in the setUpgradeFW Function

Vulnerability

A command injection vulnerability has been identified in the Totolink A7000R router running firmware version 4.1cu.4154. The issue arises in the setUpgradeFW function within the file /cgi-bin/cstecgi.cgi. This vulnerability allows for unauthorized command execution by manipulating the FileName argument. The exploitation can be performed remotely, and a public exploit is available.

Impact

Exploitation of this vulnerability allows for unauthorized command execution on the affected router.

Reproduction

To reproduce this vulnerability, send an HTTP POST request to /cgi-bin/cstecgi.cgi. Include the FileName parameter in the request body, and manipulate it to execute arbitrary commands. For example, a command to list directory contents could be used.

Added: Jan 29, 2026, 9:19 PM

Updated: Jan 29, 2026, 9:19 PM

Vulnerability Rating

Custom Algorithm

spread

1.4

impact

7.5

exploitability

9.1

remediation

0.0

relevance

2.6

threat

6.4

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.4

impact

7.5

exploitability

9.1

remediation

0.0

relevance

2.6

threat

6.4

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Totolink A7000R Command Injection Vulnerability in the setUpgradeFW Function

Vulnerability

Impact

Reproduction

Affected Products

TOTOLINK A7000R

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating