PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-9433 Totolink CVE debrief

A command injection vulnerability exists in the Totolink A8000RU wireless router firmware version 7.1cu.643_b20200521. The vulnerability resides in the `setMacFilterRules` function within the `/cgi-bin/cstecgi.cgi` endpoint of the web management interface. The `enable` parameter is not properly sanitized, allowing remote attackers to inject and execute arbitrary operating system commands without authentication. The CVSS 4.0 score of 8.9 (HIGH) reflects network attack vector, low attack complexity, no required privileges, and high impact to confidentiality, integrity, and availability. The vulnerability was disclosed publicly on 2026-05-25 with exploit availability confirmed. The NVD entry currently shows a status of 'Deferred', indicating the record may be under review or awaiting additional analysis. No CPE criteria are currently assigned, and vendor attribution carries low confidence pending direct vendor confirmation.

Vendor
Totolink
Product
A8000RU
CVSS
HIGH 8.9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-25
Original CVE updated
2026-05-26
Advisory published
2026-05-25
Advisory updated
2026-05-26

Who should care

Organizations and individuals deploying Totolink A8000RU routers for residential or small office networks; managed service providers with client networks using Totolink equipment; security teams responsible for consumer-grade network infrastructure; incident response teams tracking IoT/router exploitation campaigns.

Technical summary

The vulnerability exists in the `setMacFilterRules` function of `/cgi-bin/cstecgi.cgi` on Totolink A8000RU firmware 7.1cu.643_b20200521. The `enable` parameter accepts unsanitized input that is passed to system shell execution, enabling remote unauthenticated attackers to execute arbitrary commands with root privileges on the underlying Linux-based router operating system. The attack requires no authentication and can be conducted remotely over the network.

Defensive priority

HIGH

Recommended defensive actions

  • Isolate affected Totolink A8000RU devices from untrusted networks until firmware update is available
  • Monitor for unauthorized access attempts to /cgi-bin/cstecgi.cgi endpoint
  • Implement network segmentation to restrict management interface access to authorized administrative hosts only
  • Review device configurations for indicators of compromise including unexpected MAC filter rules or scheduled tasks
  • Contact Totolink support to confirm vulnerability status and request security patch timeline
  • Consider replacement with actively supported router hardware if vendor patch timeline is unacceptable

Evidence notes

Vulnerability identified through VulDB CNA submission. Affected product attribution based on reference domain analysis with low confidence. No CPE criteria assigned in NVD record. CVSS 4.0 vector indicates exploit maturity as 'Proof-of-concept' (E:P). NVD status 'Deferred' suggests ongoing review.

Official resources

Public disclosure occurred on 2026-05-25 with confirmed exploit availability. The vulnerability affects a consumer-grade wireless router with remote attack capability and no authentication requirements, presenting significant exposure forSO