PatchSiren cyber security CVE debrief
CVE-2026-9408 Totolink CVE debrief
A command injection vulnerability exists in the Totolink A8000RU wireless router firmware version 7.1cu.643_b20200521. The vulnerability is located in the `setStaticDhcpRules` function within the `/cgi-bin/cstecgi.cgi` endpoint of the web management interface. The `enable` parameter is not properly sanitized, allowing remote attackers to inject and execute arbitrary operating system commands without authentication. This vulnerability has a CVSS 4.0 score of 8.9 (HIGH severity) and is classified under CWE-77 and CWE-78. The exploit has been publicly disclosed and is available for use. The CVE was published on May 25, 2026, and last modified on May 26, 2026. This vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
- Vendor
- Totolink
- Product
- A8000RU
- CVSS
- HIGH 8.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-25
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-25
- Advisory updated
- 2026-05-26
Who should care
Network administrators managing Totolink A8000RU deployments, security teams responsible for IoT and network infrastructure security, SOHO users with affected routers, and organizations with remote workers using this equipment
Technical summary
The vulnerability resides in the `setStaticDhcpRules` function of `/cgi-bin/cstecgi.cgi` in Totolink A8000RU firmware 7.1cu.643_b20200521. Insufficient input validation on the `enable` parameter allows OS command injection. Attack complexity is low (AC:L), no privileges are required (PR:N), and no user interaction is needed (UI:N). The vulnerability results in high impact to confidentiality, integrity, and availability (VC:H/VI:H/VA:H). The exploit is publicly available (E:P).
Defensive priority
HIGH
Recommended defensive actions
- Restrict access to the web management interface of affected Totolink A8000RU routers to trusted administrative hosts only
- Implement network segmentation to isolate IoT devices including routers from critical network segments
- Monitor for suspicious HTTP requests to `/cgi-bin/cstecgi.cgi` containing unusual patterns in the `enable` parameter
- Apply firmware updates from Totolink if and when patches become available for version 7.1cu.643_b20200521
- Consider replacing affected devices if vendor support has ended and no patches are forthcoming
- Review router configurations for unauthorized static DHCP rules that may indicate compromise
Evidence notes
Vulnerability confirmed through VulDB submission and GitHub repository containing proof-of-concept documentation. The vulnerability affects a specific firmware version (7.1cu.643_b20200521) of the Totolink A8000RU router. The attack vector is network-based with low attack complexity and no privileges required.
Official resources
Public