CVE-2026-7203 - Vulnerability Analysis
CriticalCVSS: 9.8Last Updated: April 28, 2026
Totolink A8000RU - Command Injection
Overview
Totolink A8000RU 7.1cu.643_b20200521 contains a command injection caused by manipulation of the "enable" argument in /cgi-bin/cstecgi.cgi setUrlFilterRules function, letting remote attackers execute OS commands remotely, exploit requires no special privileges.
Severity & Score
Impact
Remote attackers can execute arbitrary OS commands, potentially leading to full system compromise.
Mitigation
Update to the latest version or apply vendor patches addressing this issue.
References
Social Media Activity(2 posts)
šØ CRITICAL: Totolink A8000RU (7.1cu.643_b20200521) suffers from OS command injection (CVE-2026-7203). Remote, unauthenticated attackers can fully compromise affected routers. No patch confirmed ā disable remote mgmt & isolate. https://radar.offseq.com/threat/cve-2026-7203-os-command-injection-in-totolink-a80-b3a02d32 #OffSeq #Vuln #IoTSec
View original post
š“ CVE-2026-7203 - Critical (9.8) A vulnerability was found in Totolink A8000RU 7.1cu.643_b20200521. This vulnerability affects the function setUrlFilterRules of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument enable results in os comma... š https://www.thehackerwire.com/vulnerability/CVE-2026-7203/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postRelated Resources
Details
- CVE ID
- CVE-2026-7203
- Severity
- Critical
- CVSS Score
- 9.8
- Type
- command_injection
- Status
- rejected
- EPSS
- 89.2%
- Social Posts
- 2
CWE
- CWE-77
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H