LeakyCreds
NewInstant webhook alerts now available — notified within seconds of any credential detection.Learn more →
Home / Vulnerability Intelligence / CVE-2026-7155

CVE-2026-7155 - Vulnerability Analysis

CriticalCVSS: 9.8

Last Updated: April 28, 2026

Totolink A8000RU - Command Injection

Published: April 27, 2026Updated: April 28, 2026Remote Exploitable

Overview

Totolink A8000RU 7.1cu.643_b20200521 contains a command injection caused by manipulation of the "admpass" argument in /cgi-bin/cstecgi.cgi's setLoginPasswordCfg function, letting remote attackers execute OS commands.

Severity & Score

Severity: Critical
CVSS Score: 9.8
EPSS Score: 89.2%(Probability of exploitation in next 30 days)

Impact

Remote attackers can execute arbitrary OS commands, potentially leading to full system compromise.

Mitigation

Update to the latest version.

References

Social Media Activity(1 post)

OffSequence
OffSequence
@offseq
Apr 28, 2026

💥 CVE-2026-7155: CRITICAL OS command injection in Totolink A8000RU (7.1cu.643_b20200521). Exploitable remotely, no auth needed. Disable remote mgmt & restrict access until patch. Details: https://radar.offseq.com/threat/cve-2026-7155-os-command-injection-in-totolink-a80-1189da9b #OffSeq #Vulnerability #CVE2026_7155 #IoTSecurity

View original post

Related Resources

Details

CVE ID
CVE-2026-7155
Severity
Critical
CVSS Score
9.8
Type
command_injection
Status
rejected
EPSS
89.2%
Social Posts
1

CWE

  • CWE-77

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

89.2%Probability of exploitation in the next 30 days