Submit #813909: Totolink A8000RU 7.1cu.643_b20200521 Command Injectioninfo

TitleTotolink A8000RU 7.1cu.643_b20200521 Command Injection
DescriptionA pre‑authentication OS command injection vulnerability exists in the `setL2tpServerCfg` functionality exposed via the web management interface (`/cgi-bin/cstecgi.cgi`) of the TOTOLINK A8000RU 7.1cu.643_b20200521 router. The CGI handler retrieves user‑controlled input from the HTTP parameter `enable`, embeds it directly into a shell command string using `sprintf`, and executes it via `CsteSystem()` without any sanitization or escaping. As a result, a remote attacker with network access to the web interface can inject arbitrary shell commands and execute them with root privileges on the device, without authentication.
Source⚠️ https://github.com/Litengzheng/vuldb_new2/blob/main/A8000RU/vul_357/README.md
User LtzHuster2 (UID 96397)
Submission04/27/2026 08:03 (3 months ago)
Moderation05/24/2026 09:07 (27 days later)
StatusAccepted
VulDB entry365417 [Totolink A8000RU 7.1cu.643_b20200521 Web Management Interface /cgi-bin/cstecgi.cgi setL2tpServerCfg enable os command injection]
Points20

Do you know our Splunk app?

Download it now for free!