| 标题 | Totolink A8000RU 7.1cu.643_b20200521 Command Injection |
|---|
| 描述 | A pre‑authentication OS command injection vulnerability exists in the `setting/setTelnetCfg` functionality exposed via the web management interface (`/cgi-bin/cstecgi.cgi`) of the TOTOLINK A8000RU 7.1cu.643_b20200521 router.
The CGI handler retrieves user‑controlled input from the HTTP parameter `telnet_enabled`, embeds it directly into a shell command string using `sprintf`, and executes it via `CsteSystem()` without any sanitization or escaping. As a result, a remote attacker with network access to the web interface can inject arbitrary shell commands and execute them with root privileges on the device, without authentication.
|
|---|
| 来源 | ⚠️ https://github.com/Litengzheng/vuldb_new2/blob/main/A8000RU/vul_345/README.md |
|---|
| 用户 | LtzHust (UID 95660) |
|---|
| 提交 | 2026-04-26 12時41分 (1 月前) |
|---|
| 管理 | 2026-05-24 09時57分 (28 days later) |
|---|
| 状态 | 重复 |
|---|
| VulDB条目 | 359751 [Totolink A8000RU 7.1cu.643_b20200521 CGI /cgi-bin/cstecgi.cgi setTelnetCfg telnet_enabled 权限提升] |
|---|
| 积分 | 0 |
|---|