Skip to main content

Mondoo

Vulnerability Management
Technology
Services

Solutions

Financial Services
Manufacturing
Healthcare

Resources

Blog
Vulnerability Database
Documentation
GitHub

Company

About
Careers
Partners
Contact

Legal

Privacy
Terms
Imprint

© 2026 Mondoo, Inc.

Log in Get Assessment

CVE-2026-7204 | Mondoo Vulnerability Intelligence

Vulnerability IntelligenceCVE-2026-7204

CVE-2026-7204

CRITICAL9.8

Totolink A8000RU CGI cstecgi.cgi setPptpServerCfg os command injection

Published Apr 28, 2026

Modified 1 months ago

Details

A vulnerability was determined in Totolink A8000RU 7.1cu.643_b20200521. This issue affects the function setPptpServerCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. This manipulation of the argument enable causes os command injection. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized.

References

https://github.com/Litengzheng/vuldb_new2/blob/main/A8000RU/vul_323/README.md

https://vuldb.com/submit/801530

https://vuldb.com/vuln/359804

https://vuldb.com/vuln/359804/cti

https://www.cve.org/CVERecord?id=CVE-2026-7204

https://www.totolink.net/

CVSS Analysis

CVSS v4.0

9.3

Exploitability

Attack Vector

NetworkAV:N

Attack Complexity

LowAC:L

Attack Requirements

NoneAT:N

Privileges Required

NonePR:N

User Interaction

NoneUI:N

Vulnerable System

Vuln. Confidentiality

HighVC:H

Vuln. Integrity

HighVI:H

Vuln. Availability

HighVA:H

Subsequent System

Subseq. Confidentiality

NoneSC:N

Subseq. Integrity

NoneSI:N

Subseq. Availability

NoneSA:N

9.3/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

Weakness Type (CWE)

Injection

OS Command Injection

Input Validation

Command Injection

Ecosystems

Timeline

PublishedApr 28, 2026

ModifiedApr 28, 2026