PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-9455 Totolink CVE debrief

A command injection vulnerability exists in the Totolink A8000RU router firmware version 7.1cu.643_b20200521. The vulnerability is located in the UploadOpenVpnCert function within the /cgi-bin/cstecgi.cgi endpoint of the web management interface. The FileName parameter is not properly sanitized, allowing an attacker to inject arbitrary operating system commands. This vulnerability can be exploited remotely without authentication, and public exploit disclosure has occurred. The CVSS 4.0 score of 8.9 (HIGH) reflects significant confidentiality, integrity, and availability impacts. The vulnerability is classified under CWE-77 (Command Injection) and CWE-78 (OS Command Injection). The CVE was published on May 25, 2026, with a modification on May 26, 2026. No CISA KEV listing is present. Vendor attribution to Totolink is based on reference domain evidence with low confidence and requires review.

Vendor
Totolink
Product
A8000RU
CVSS
HIGH 8.9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-25
Original CVE updated
2026-05-26
Advisory published
2026-05-25
Advisory updated
2026-05-26

Who should care

Network administrators managing Totolink A8000RU deployments; security teams responsible for SOHO router infrastructure; incident response teams tracking IoT command injection exposures

Technical summary

The UploadOpenVpnCert function in /cgi-bin/cstecgi.cgi fails to sanitize the FileName parameter, enabling OS command injection. Remote attackers can execute arbitrary commands without authentication.

Defensive priority

HIGH

Recommended defensive actions

  • Restrict network access to the web management interface of affected Totolink A8000RU devices; implement firewall rules to block external access to /cgi-bin/cstecgi.cgi
  • Monitor for suspicious requests to the UploadOpenVpnCert endpoint containing shell metacharacters in the FileName parameter
  • Apply firmware updates from Totolink when available; verify vendor security advisories at the official Totolink website
  • Consider disabling remote web management access if not required for operations
  • Review network segmentation to isolate affected devices from critical infrastructure

Evidence notes

Vulnerability confirmed through Vuldb CNA submission. Affected product identified as Totolink A8000RU firmware 7.1cu.643_b20200521. Attack vector: network-accessible web management interface. Weaknesses: CWE-77, CWE-78. CVSS 4.0 vector: AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/E:P.

Official resources

Public exploit disclosure confirmed; remote exploitation possible without authentication