PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-9456 Totolink CVE debrief

A command injection vulnerability exists in the Totolink A8000RU wireless router firmware version 7.1cu.643_b20200521. The vulnerability is located in the `setOpenVpnCfg` function within the `/cgi-bin/cstecgi.cgi` web management interface endpoint. The `enabled` parameter is not properly sanitized, allowing remote attackers to inject and execute arbitrary operating system commands without authentication. The attack vector is network-based with low attack complexity, no privileges required, and no user interaction needed. The vulnerability has been publicly disclosed with proof-of-concept material available. The CVSS 4.0 vector indicates high impacts to confidentiality, integrity, and availability. The vendor field indicates uncertainty regarding official vendor attribution, with evidence pointing to Totolink based on reference domain analysis.

Vendor
Totolink
Product
A8000RU
CVSS
HIGH 8.9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-25
Original CVE updated
2026-05-26
Advisory published
2026-05-25
Advisory updated
2026-05-26

Who should care

Organizations deploying Totolink A8000RU routers for remote access, VPN gateway, or small office/home office networking; managed service providers with IoT/router fleets; security teams responsible for network perimeter hardening and IoT security posture management.

Technical summary

The vulnerability resides in the `setOpenVpnCfg` function of `/cgi-bin/cstecgi.cgi` on Totolink A8000RU firmware 7.1cu.643_b20200521. Insufficient input validation on the `enabled` parameter permits shell metacharacter injection, resulting in arbitrary command execution with web server privileges. The attack requires no authentication and can be executed remotely via HTTP requests to the device's web interface.

Defensive priority

HIGH

Recommended defensive actions

  • Restrict network access to the web management interface of affected Totolink A8000RU devices; implement firewall rules to block inbound connections to TCP port 80/443 from untrusted networks
  • Apply firmware updates from the vendor if and when available; monitor Totolink security advisories for patched releases
  • Consider disabling remote web management access entirely if not operationally required
  • Deploy network segmentation to isolate IoT/router management interfaces from production networks and user endpoints
  • Monitor for suspicious HTTP requests to `/cgi-bin/cstecgi.cgi` containing shell metacharacters or command injection patterns in the `enabled` parameter
  • Review device configurations for unauthorized changes that may indicate compromise, particularly OpenVPN settings
  • If compromise is suspected, perform factory reset and reconfiguration from known-good backup; rotate all administrative credentials

Evidence notes

Vulnerability identified through VulDB CNA submission. Affected product confirmed as Totolink A8000RU router. Weakness classifications include CWE-77 (Command Injection) and CWE-78 (OS Command Injection). CVSS 4.0 score of 8.9 reflects network accessibility and high impact potential. Vendor attribution carries low confidence due to reliance on reference domain inference rather than direct vendor confirmation.

Official resources

Public disclosure occurred on 2026-05-25 with subsequent modification on 2026-05-26. Proof-of-concept exploit material has been published and is publicly accessible. The vulnerability is not currently listed in CISA KEV.