PatchSiren cyber security CVE debrief

CVE-2026-9406 Totolink CVE debrief

A command injection vulnerability exists in the Totolink A8000RU router firmware version 7.1cu.643_b20200521. The vulnerability resides in the `setRemoteCfg` function within the `/cgi-bin/cstecgi.cgi` web management interface endpoint. The `enable` parameter is susceptible to OS command injection, allowing remote unauthenticated attackers to execute arbitrary commands on the underlying operating system. The CVSS 4.0 vector indicates network attack vector with low attack complexity, no privileges required, and no user interaction needed, resulting in high impacts to confidentiality, integrity, and availability. The vulnerability was disclosed publicly on May 25, 2026, with exploit availability confirmed. The vendor field indicates low confidence attribution to Totolink based on reference domain analysis, requiring review. No CISA KEV listing is present.

Vendor: Totolink
Product: A8000RU
CVSS: HIGH 8.9
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-25
Original CVE updated: 2026-05-26
Advisory published: 2026-05-25
Advisory updated: 2026-05-26

Who should care

Network administrators managing Totolink A8000RU deployments, security teams responsible for IoT and network infrastructure protection, SOHO users with affected routers, and organizations with remote management interfaces exposed to untrusted networks.

Technical summary

The vulnerability exists in the `setRemoteCfg` function of `/cgi-bin/cstecgi.cgi` on Totolink A8000RU routers running firmware 7.1cu.643_b20200521. Insufficient input sanitization on the `enable` parameter allows OS command injection. The attack is remotely exploitable without authentication. The CVSS 4.0 score of 8.9 reflects high severity with network attack vector, low attack complexity, and high impacts across confidentiality, integrity, and availability dimensions. The exploit has been made publicly available.

Defensive priority

HIGH

Recommended defensive actions

Restrict administrative interface access to trusted management networks only; implement network segmentation to isolate affected router management interfaces from untrusted networks
Monitor for suspicious requests to /cgi-bin/cstecgi.cgi containing the setRemoteCfg action with anomalous enable parameter values
Apply firmware updates from the vendor if and when available; given the 2020 firmware date (7.1cu.643_b20200521), verify current support status with the vendor
Consider replacing affected devices if vendor support has ended and no patch is forthcoming
Review device configurations for unauthorized changes that may indicate compromise
Implement egress filtering to limit command-and-control communications from IoT device segments

Evidence notes

Vulnerability confirmed through Vuldb CNA submission (ID 813441) and assigned Vuldb entry 365387. CVSS 4.0 vector provided: AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/E:P indicating network-accessible, low complexity, and proof-of-concept exploit availability. Weaknesses mapped to CWE-77 and CWE-78 (Command Injection). Vendor attribution derived from reference domain analysis with low confidence; official vendor confirmation pending.

Official resources

Public disclosure with confirmed exploit availability. The vulnerability was published to CVE on May 25, 2026, and modified on May 26, 2026. No CISA KEV entry exists.