### Vulnerability Overview - **Vulnerability ID**: #80106 - **Vulnerability Name**: Totolink A8000RU 7.1cu.643_b20200521 Command Injection - **Description**: A pre-authentication OS command injection vulnerability exists in the `setWiFiEasyCfg` feature of the Totolink A8000RU 7.1cu.643_b20200521 router. This feature is exposed via the web management interface (`/cgi-bin/cstecgi.cgi`). The CGI handler retrieves user-controlled input from the HTTP parameter `merge` and embeds it into a shell command string executed using `/sbin/ip`, without any sanitization or escaping. Consequently, a remote attacker with network access can inject arbitrary shell commands into the web interface and execute them with root privileges on the device without authentication. This allows for complete control of the router and potentially further control over the connected network. ### Affected Scope - **Affected Device**: Totolink A8000RU 7.1cu.643_b20200521 - **Impact Level**: High (can lead to complete device control) ### Remediation - **Current Status**: Accepted - **Recommended Measures**: The vendor should release a firmware update as soon as possible to fix this command injection vulnerability. Users should regularly check and update their router firmware to ensure they are using the latest version. ### POC Code / Exploit Code No specific POC code or exploit code is provided in the page. ### Additional Information - **Source**: [GitHub Link](https://github.com/Liresheng/vuldb_new2/blob/main/A8000RU/vul_310/README.md) - **Submission Time**: April 9, 2026, 03:32 PM - **Review Time**: April 26, 2026, 09:13 PM - **VulDB Entry**: 359724 - **Credits**: 20 ### Community Content - The submission was completed by a VulDB community user; VulDB is not responsible for the content or external links. - Exercise caution when using the provided information, as it may contain malicious or harmful content. ### Documents - Submission Policy - Data Processing - CVE Handling ### Copyright Information - 1997-2026 vuldb.com · cc-by-nc-sa