PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-9458 Totolink CVE debrief

A remote OS command injection vulnerability exists in Totolink A8000RU firmware version 7.1cu.643_b20200521. The vulnerability resides in the `setWanCfg` function within the `/cgi-bin/cstecgi.cgi` endpoint of the web management interface. The `enabled` parameter is susceptible to command injection, allowing unauthenticated remote attackers to execute arbitrary operating system commands. The CVSS 4.0 score of 8.9 (HIGH) reflects network attack vector, low attack complexity, no required privileges, and high impact to confidentiality, integrity, and availability. The vulnerability was published on 2026-05-25 and modified on 2026-05-26. Public exploit availability is indicated in the CVSS vector (E:P). The vendor attribution is based on reference domain analysis with low confidence and requires review.

Vendor
Totolink
Product
A8000RU
CVSS
HIGH 8.9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-25
Original CVE updated
2026-05-26
Advisory published
2026-05-25
Advisory updated
2026-05-26

Who should care

Organizations deploying Totolink A8000RU routers in production environments, particularly those with exposed web management interfaces. Security teams responsible for IoT and network infrastructure protection. Managed service providers maintaining customer premise equipment.

Technical summary

The vulnerability exists in the `setWanCfg` function of `/cgi-bin/cstecgi.cgi` on Totolink A8000RU devices running firmware 7.1cu.643_b20200521. Insufficient input validation on the `enabled` parameter allows injection of operating system commands. The attack can be performed remotely without authentication. The CVSS 4.0 score of 8.9 indicates HIGH severity with network attack vector, low complexity, and high impacts across confidentiality, integrity, and availability. The exploit is publicly available per the CVSS E:P metric.

Defensive priority

HIGH

Recommended defensive actions

  • Restrict network access to the web management interface of affected Totolink A8000RU devices; implement firewall rules to block external access to /cgi-bin/cstecgi.cgi
  • Monitor for suspicious requests to the /cgi-bin/cstecgi.cgi endpoint containing the setWanCfg action, particularly those with anomalous 'enabled' parameter values
  • Apply firmware updates from Totolink when available; verify vendor security advisories at the official Totolink website
  • Consider disabling remote web management access if not required for operational purposes
  • Review device logs for indicators of compromise, including unexpected command execution or configuration changes

Evidence notes

Vulnerability identified in Totolink A8000RU 7.1cu.643_b20200521. Affected function: setWanCfg in /cgi-bin/cstecgi.cgi. Attack vector: manipulation of 'enabled' argument leading to OS command injection. CWE-77 and CWE-78 classified. CVSS 4.0 vector: AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P. Exploit marked as publicly available per CVSS E:P metric. Vendor attribution derived from reference domain candidate (Vuldb) with low confidence; needs review.

Official resources

2026-05-25T14:16:28.870Z