PatchSiren cyber security CVE debrief
CVE-2026-9435 Totolink CVE debrief
A command injection vulnerability exists in the Totolink A8000RU wireless router firmware version 7.1cu.643_b20200521. The vulnerability resides in the `setQosCfg` function within the `/cgi-bin/cstecgi.cgi` endpoint of the web management interface. The `enable` parameter is not properly sanitized, allowing remote attackers to inject and execute arbitrary operating system commands without authentication. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no required privileges, and no user interaction, with high impact to confidentiality, integrity, and availability. The vulnerability is confirmed as publicly exploited according to source metadata. The CVE was published on 2026-05-25 and last modified on 2026-05-26.
- Vendor
- Totolink
- Product
- A8000RU
- CVSS
- HIGH 8.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-25
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-25
- Advisory updated
- 2026-05-26
Who should care
Network administrators managing Totolink A8000RU deployments, security teams responsible for SOHO and remote office infrastructure, IoT security practitioners, and organizations with remote workers using consumer-grade routing equipment
Technical summary
The vulnerability is an unauthenticated OS command injection in the QoS configuration handler of the Totolink A8000RU router's web interface. The `setQosCfg` function in `/cgi-bin/cstecgi.cgi` fails to sanitize the `enable` parameter, allowing shell metacharacters and command sequences to be passed directly to system execution functions. This enables remote attackers to execute arbitrary commands with the privileges of the web server process, typically root on embedded Linux router firmware. The attack requires no authentication and can be conducted directly over the network via HTTP requests to the management interface.
Defensive priority
HIGH
Recommended defensive actions
- Immediately restrict access to the Totolink A8000RU web management interface from untrusted networks; place management interface behind firewall rules limiting source IP addresses to administrative hosts only
- Disable remote web management access if not strictly required; consider using alternative local-only administration methods
- Monitor for suspicious requests to `/cgi-bin/cstecgi.cgi` containing unexpected characters or command-like syntax in the `enable` parameter or other arguments
- Apply firmware updates from Totolink when available; verify patch version addresses CVE-2026-9435 specifically
- Conduct forensic review of device logs for evidence of prior exploitation, particularly unauthorized command execution or configuration changes
- Segment IoT/router devices on isolated network segments with restricted egress to limit lateral movement if compromise occurs
Evidence notes
Vulnerability identified in Totolink A8000RU firmware 7.1cu.643_b20200521. Affected component: Web Management Interface, specifically `/cgi-bin/cstecgi.cgi` `setQosCfg` function. Attack vector: manipulation of `enable` argument enabling OS command injection. CVSS 4.0 score 8.9 (HIGH). CWE-77 and CWE-78 identified as primary weakness types. Exploitation confirmed public per source metadata. Vendor attribution based on reference domain candidate with low confidence; vendor name marked for review.
Official resources
2026-05-25