PatchSiren cyber security CVE debrief
CVE-2026-9387 Totolink CVE debrief
A command injection vulnerability exists in the Totolink A8000RU router firmware version 7.1cu.643_b20200521. The vulnerability is located in the setUpgradeFW function within the /cgi-bin/cstecgi.cgi endpoint of the web management interface. The resetFlags parameter is susceptible to OS command injection, allowing remote attackers to execute arbitrary commands without authentication. The vulnerability has a CVSS 4.0 score of 8.9 (HIGH severity) with network attack vector, low attack complexity, and no required privileges or user interaction. The exploit has been publicly released, increasing the risk of active exploitation. The CVE was published on 2026-05-24 and last modified on 2026-05-26. The vulnerability is classified under CWE-77 and CWE-78 (OS Command Injection).
- Vendor
- Totolink
- Product
- A8000RU
- CVSS
- HIGH 8.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-24
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-24
- Advisory updated
- 2026-05-26
Who should care
Network administrators managing Totolink A8000RU deployments, security teams responsible for edge network infrastructure, and organizations using these routers for remote access or branch connectivity
Technical summary
The vulnerability exists in the setUpgradeFW function of /cgi-bin/cstecgi.cgi in Totolink A8000RU firmware 7.1cu.643_b20200521. Insufficient input validation on the resetFlags parameter allows OS command injection. The attack can be initiated remotely without authentication, enabling arbitrary command execution on the underlying operating system with the privileges of the web server process.
Defensive priority
HIGH
Recommended defensive actions
- Restrict network access to the web management interface of affected Totolink A8000RU routers to trusted administrative hosts only
- Implement network segmentation to isolate affected routers from critical internal networks
- Monitor for suspicious requests to /cgi-bin/cstecgi.cgi containing unusual resetFlags parameter values
- Apply firmware updates from Totolink when available, prioritizing devices with internet-exposed management interfaces
- Consider disabling remote web management access if not required for operations
- Review router logs for indicators of compromise, particularly unauthorized command execution patterns
Evidence notes
Vulnerability confirmed through Vuldb submission and analysis. Affected product identified as Totolink A8000RU with specific firmware version 7.1cu.643_b20200521. Attack vector is remote and unauthenticated.
Official resources
Public disclosure with exploit availability