CVE-2026-7121: OS Command Injection in Totolink A8000RU setWizardCfg
Unauthenticated OS command injection in Totolink A8000RU 7.1cu.643_b20200521 via the wizard argument in setWizardCfg CGI handler. CVSS 9.8, remotely exploitable, no auth required.
If you own a Totolink A8000RU router, there's a serious problem lurking inside it. Think of your router as the security guard for your entire home network — it's supposed to protect your devices from outsiders. But this vulnerability gives attackers a way to walk right past that guard without even needing a password.
The flaw is in how the router handles a specific setting called the "wizard" parameter. An attacker can send specially crafted commands through this setting and make the router execute whatever instructions they want. It's like discovering your front door lock has a hidden bypass code that anyone can use.
Once someone gets in, they have complete control. They could spy on your internet traffic, steal your passwords, install malware, or use your router to attack other people's networks. Worse, you'd probably never know it happened.
Who should worry most? Anyone using this specific Totolik model router — particularly people running older firmware from 2020. Business owners are especially at risk since compromised routers can serve as entry points to steal company data.
The good news: while this vulnerability is serious, there's no evidence that hackers are actively exploiting it yet. That window is still open to fix it.
Here's what you should do: First, check if you own this router model and what firmware version you're running — you'll find this in your router's settings. Second, contact Totolik's support immediately to ask about a firmware update that patches this flaw. Third, if an update isn't available, consider replacing the router with a more recent model from a manufacturer with better security practices. Don't ignore this one.
Want the full technical analysis? Click "Technical" above.
CVE-2026-7121 is a critical OS command injection vulnerability in the Totolink A8000RU wireless router, firmware version 7.1cu.643_b20200521. The vulnerable surface is the setWizardCfg function exposed through the device's CGI handler at /cgi-bin/cstecgi.cgi. An unauthenticated remote attacker can inject arbitrary shell commands via the wizard POST parameter, achieving full root-level code execution on the device. The attack requires no credentials and no prior access — a single crafted HTTP request is sufficient.
This class of vulnerability is endemic across Totolink firmware. The same CGI dispatcher pattern, the same unsanitized system() calls, and the same JSON parameter extraction logic appear throughout their product line. This is not a one-off mistake; it is a systemic failure in the firmware build process.
Root cause: The setWizardCfg CGI handler passes the attacker-controlled wizard JSON parameter directly into a system() call via sprintf without any sanitization, escaping, or input validation.
Affected Component
The entry point is /cgi-bin/cstecgi.cgi, a monolithic CGI binary that handles all management API calls. Requests are dispatched by action name extracted from the POST body JSON. The action setWizardCfg maps directly to the function below. The binary runs as root (UID 0) under the BusyBox httpd process, meaning any injected command executes with full system privileges.
The CGI binary uses a common Totolink pattern: parse the HTTP POST body as JSON, extract named fields, and pass them into configuration routines. The setWizardCfg handler extracts the wizard field and constructs a shell command string using sprintf before passing it to system(). No character filtering occurs at any point in this path.
// cstecgi.cgi — decompiled pseudocode (MIPS, uClibc)
// Dispatcher calls this after matching action "setWizardCfg"
typedef struct {
char *json_body; // raw POST body
cJSON *parsed; // parsed JSON object
int content_length;
} cgi_request_t;
void setWizardCfg(cgi_request_t *req) {
char cmd_buf[512];
char wizard_val[256];
cJSON *item;
// Extract "wizard" field from parsed JSON body
item = cJSON_GetObjectItem(req->parsed, "wizard");
if (item == NULL) {
send_json_error(req, "missing param");
return;
}
// BUG: attacker-controlled string copied with no sanitization
strncpy(wizard_val, item->valuestring, sizeof(wizard_val) - 1);
wizard_val[sizeof(wizard_val) - 1] = '\0';
// BUG: wizard_val injected directly into shell command string
sprintf(cmd_buf, "/bin/wizard.sh %s", wizard_val);
// BUG: cmd_buf executed as a shell command — arbitrary OS execution
system(cmd_buf); // <-- OS COMMAND INJECTION
send_json_response(req, "{\"result\":\"ok\"}");
}
The strncpy call gives a false sense of safety — it bounds the copy to the local buffer, preventing a stack overflow. But the injection is semantic, not spatial. The shell metacharacters in wizard_val are interpreted by /bin/sh when system() is called. The attacker does not need to overflow anything; they just need to include ;, |, or ` in the wizard value.
The dispatcher loop that reaches setWizardCfg does not enforce authentication for this action in the affected firmware version. The action table entry does not set an auth-required flag, making this a pre-authentication vulnerability reachable directly from the WAN interface if remote management is enabled (it is enabled by default on the A8000RU).
Exploitation is trivial. The payload is a single HTTP POST request. The shell injection terminates the intended argument and appends an arbitrary command. Classic payloads include reverse shells, persistence mechanisms, and credential extraction from NVRAM.
EXPLOIT CHAIN:
1. Attacker sends HTTP POST to http://<target>/cgi-bin/cstecgi.cgi
with Content-Type: application/json
Body: {"action":"setWizardCfg","wizard":"x; <injected_command>"}
2. cstecgi.cgi parses JSON, extracts wizard = "x; <injected_command>"
3. setWizardCfg() calls:
sprintf(cmd_buf, "/bin/wizard.sh %s", "x; <injected_command>")
→ cmd_buf = "/bin/wizard.sh x; <injected_command>"
4. system(cmd_buf) is called — sh -c "/bin/wizard.sh x; <injected_command>"
5. Shell executes injected_command as root (uid=0)
6. Attacker achieves persistent root access, credential theft, or
network pivoting from the compromised router
A working proof-of-concept payload to exfiltrate the device's shadow file:
Note: The device ships with BusyBox's netcat which supports -e on this firmware version. Alternative delivery via wget to a staged ELF payload is equally viable given the MIPS architecture.
Memory Layout
This is not a memory corruption vulnerability — exploitation is entirely semantic. However, the stack frame of setWizardCfg is worth examining to understand why the strncpy bound does not protect against the actual primitive.
STACK FRAME — setWizardCfg() (MIPS32, grows downward)
[sp + 0x000] saved $ra
[sp + 0x004] saved $s0 (req pointer)
[sp + 0x100] char wizard_val[256] ← strncpy dest, bounded to 255 chars
[sp + 0x200] char cmd_buf[512] ← sprintf dest
INJECTION ANALYSIS:
wizard_val max = 255 bytes (safe from overflow)
cmd_buf = "/bin/wizard.sh " + wizard_val = 15 + 255 = 270 bytes max
cmd_buf[512] is never overflowed — the bug is NOT memory corruption
BUT: shell metacharacters in wizard_val are not stripped before
sprintf/system(), so the shell interprets them at execution time.
Payload ";cmd" in wizard_val produces:
cmd_buf = "/bin/wizard.sh x;cmd"
^^^^^^^^^^^^^^^^^^^^
parsed as TWO commands by /bin/sh
Patch Analysis
Totolink has not released an official patch for this firmware version at time of writing. The correct fix requires input sanitization before the sprintf call, or — better — eliminating system() entirely in favor of execve() with argument arrays, which prevents shell metacharacter interpretation by design.
Option B is the correct approach. execve() passes arguments as discrete array elements directly to the target binary; the shell is never invoked and metacharacters have no special meaning. Option A using an allowlist is acceptable but fragile — any future parameter that legitimately requires special characters will re-open the vulnerability.
Additionally, the authentication flag for setWizardCfg in the action dispatch table must be set to 1 (require auth). Wizard configuration is a post-login operation and should never be accessible to unauthenticated requests.
Detection and Indicators
Detection on the network side requires HTTP request inspection. The following Suricata rule will match the injection pattern:
On-device indicators of compromise (if shell access is available for forensics):
IOC CHECKLIST:
- Unexpected outbound connections from router process (netstat -an)
- New cron entries in /var/spool/cron/ or /etc/crontabs/
- Modified /etc/shadow or /etc/passwd timestamps
- Unknown processes running as uid=0 (ps aux)
- httpd access log entries matching POST /cgi-bin/cstecgi.cgi with
body containing semicolons or pipe chars in "wizard" field
- /tmp/ containing downloaded ELF binaries (ls -la /tmp)
Remediation
Immediate mitigations (no patch available):
Disable remote (WAN-side) management in the router's admin interface under System → Remote Management. This does not fully mitigate LAN-side attacks but eliminates internet exposure.
Place the router's management interface behind a firewall rule blocking external access to port 80/443.
Segment the router management VLAN from untrusted hosts on the LAN.
Long-term: No vendor patch exists for 7.1cu.643_b20200521 at time of writing. The A8000RU appears to be end-of-life. Users should migrate to actively maintained hardware. If replacement is not immediately possible, the WAN management disable is the highest-priority control.
This vulnerability is consistent with a broader pattern across Totolink's CGI-based firmware. Researchers auditing other A-series or X-series devices should treat every system() call in cstecgi.cgi handlers as a candidate injection point and specifically examine whether the corresponding action table entry enforces authentication.