PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-9384 Totolink CVE debrief

A command injection vulnerability exists in the Totolink A8000RU wireless router firmware version 7.1cu.643_b20200521. The vulnerability resides in the `setDiagnosisCfg` function within the `/cgi-bin/cstecgi.cgi` endpoint of the web management interface. The `ip` parameter is not properly sanitized, allowing an unauthenticated remote attacker to inject arbitrary operating system commands. Successful exploitation grants the attacker full control over the affected device with root privileges. The vulnerability has a CVSS 4.0 score of 8.9 (HIGH severity) and public exploit availability increases immediate risk. The CVE was published on 2026-05-24 and last modified on 2026-05-26. No CISA KEV listing is present. Vendor attribution to Totolink is based on reference domain evidence with low confidence and requires review.

Vendor
Totolink
Product
A8000RU
CVSS
HIGH 8.9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-24
Original CVE updated
2026-05-26
Advisory published
2026-05-24
Advisory updated
2026-05-26

Who should care

Organizations deploying Totolink A8000RU routers for residential or small office networks; managed service providers with customer premise equipment; security teams responsible for IoT and network infrastructure protection; incident response teams tracking router exploitation campaigns

Technical summary

The vulnerability exists in the `setDiagnosisCfg` function of `/cgi-bin/cstecgi.cgi` on Totolink A8000RU routers running firmware 7.1cu.643_b20200521. The `ip` parameter accepts user input without proper sanitization, enabling OS command injection. An unauthenticated attacker can send a crafted HTTP request to execute arbitrary commands with root privileges. The attack vector is network-based, requires no authentication, and has low attack complexity. Public exploit availability confirms functional attack code exists in the wild.

Defensive priority

high

Recommended defensive actions

  • Immediately isolate affected Totolink A8000RU devices from untrusted networks or internet exposure
  • Apply firmware updates from Totolink if available; verify version is newer than 7.1cu.643_b20200521
  • If patching is unavailable, disable remote web management access and restrict administrative interface to trusted internal networks only
  • Implement network segmentation to prevent lateral movement if device is compromised
  • Monitor for suspicious activity targeting `/cgi-bin/cstecgi.cgi` endpoint, particularly requests to `setDiagnosisCfg` with unusual `ip` parameter values
  • Review device configurations for unauthorized changes indicating potential compromise
  • Consider replacement with actively supported equipment if vendor patches are not forthcoming

Evidence notes

Vulnerability identified in Totolink A8000RU firmware 7.1cu.643_b20200521. Command injection via unsanitized `ip` parameter in `setDiagnosisCfg` function. CVSS 4.0 vector: AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P. CWE-77 and CWE-78 classified. Exploit publicly available per Vuldb submission 813429 and vulnerability entry 365347.

Official resources

2026-05-24