PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-9436 Totolink CVE debrief

A command injection vulnerability exists in the Totolink A8000RU router firmware version 7.1cu.643_b20200521. The vulnerability resides in the `setL2tpServerCfg` function within the `/cgi-bin/cstecgi.cgi` web management interface endpoint. The `enable` parameter is not properly sanitized, allowing remote attackers to inject and execute arbitrary operating system commands without authentication. This vulnerability is remotely exploitable and has been publicly disclosed with exploit details available. The CVSS 4.0 score of 8.9 reflects high impacts to confidentiality, integrity, and availability with low attack complexity and no required privileges or user interaction.

Vendor
Totolink
Product
A8000RU
CVSS
HIGH 8.9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-25
Original CVE updated
2026-05-26
Advisory published
2026-05-25
Advisory updated
2026-05-26

Who should care

Network administrators managing Totolink A8000RU deployments, security teams responsible for SOHO router infrastructure, and organizations using these devices for remote access or branch office connectivity should prioritize assessment and mitigation.

Technical summary

The vulnerability exists in the `setL2tpServerCfg` function of `/cgi-bin/cstecgi.cgi` on Totolink A8000RU firmware 7.1cu.643_b20200521. The `enable` parameter accepts unsanitized input that is passed to system shell execution, enabling arbitrary command injection. Attackers can exploit this remotely without authentication to execute commands with root privileges on the underlying Linux-based router operating system.

Defensive priority

HIGH

Recommended defensive actions

  • Restrict access to the web management interface (/cgi-bin/cstecgi.cgi) to trusted administrative hosts only
  • Implement network segmentation to isolate affected routers from untrusted networks
  • Monitor for suspicious requests to the setL2tpServerCfg endpoint containing shell metacharacters
  • Apply firmware updates from Totolink when available
  • Consider disabling remote web management access if not required for operations

Evidence notes

Vulnerability identified through VulDB submission and analysis. Affected product confirmed as Totolink A8000RU router. Weaknesses mapped to CWE-77 (Command Injection) and CWE-78 (OS Command Injection). CVSS 4.0 vector confirms network attack vector with no authentication required.

Official resources

Public disclosure occurred on 2026-05-25 with exploit details published. The vulnerability is classified as deferred status in NVD. No known CISA KEV listing or ransomware campaign association exists at this time.