| tiêu đề | Totolink A8000RU 7.1cu.643_b20200521 Command Injection |
|---|
| Mô tả | A pre‑authentication OS command injection vulnerability exists in the `setIpv6LanCfg` functionality exposed via the web management interface (`/cgi-bin/cstecgi.cgi`) of the TOTOLINK A8000RU 7.1cu.643_b20200521 router.
The CGI handler retrieves user‑controlled input from the HTTP parameter `addrPrefixLen`, embeds it directly into a shell command string using `sprintf`, and executes it via `CsteSystem()` without any sanitization or escaping. As a result, a remote attacker with network access to the web interface can inject arbitrary shell commands and execute them with root privileges on the device, without authentication.
This allows full compromise of the router and, potentially, further compromise of the attached network. |
|---|
| Nguồn | ⚠️ https://github.com/Litengzheng/vuldb_new2/tree/main/A8000RU/vul_309/README.md |
|---|
| Người dùng | LtzHuster2 (UID 96397) |
|---|
| Đệ trình | 09/04/2026 15:29 (cách đây 19 ngày) |
|---|
| Kiểm duyệt | 26/04/2026 21:13 (17 days later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 359723 [Totolink A8000RU 7.1cu.643_b20200521 CGI /cgi-bin/cstecgi.cgi setIpv6LanCfg addrPrefixLen nâng cao đặc quyền] |
|---|
| điểm | 20 |
|---|