CVE-2026-9475 Totolink CVE debrief

Who should care

Organizations and individuals deploying Totolink A8000RU routers for wireless connectivity; network administrators responsible for consumer-grade router security; security teams monitoring for IoT/embedded device exploitation; incident responders tracking public exploit weaponization against edge network devices

Technical summary

The vulnerability exists in the setIpQosRules function of /cgi-bin/cstecgi.cgi in Totolink A8000RU firmware 7.1cu.643_b20200521. Insufficient input validation on the Comment parameter allows OS command injection. Remote exploitation is possible without authentication. CVSS 4.0 score of 8.9 (HIGH) reflects network accessibility, low complexity, and high impact across confidentiality, integrity, and availability dimensions.

Defensive priority

HIGH

Recommended defensive actions

• Restrict access to the web management interface of affected Totolink A8000RU devices; implement network segmentation to limit exposure of management interfaces to untrusted networks
• Monitor for unauthorized access attempts to /cgi-bin/cstecgi.cgi and anomalous command execution patterns on affected devices
• Apply vendor firmware updates when available; contact Totolink support for patch status given public exploit availability
• Consider replacing affected devices if vendor patching is not forthcoming, given HIGH severity and public exploit disclosure
• Review network logs for indicators of compromise targeting QoS configuration endpoints
• resourceLinkAnnotations: [ref-4, ref-6, ref-8]

Evidence notes

Vulnerability confirmed through VulDB entry with CVSS 4.0 scoring. Affected function identified as setIpQosRules in /cgi-bin/cstecgi.cgi. Command injection vector via Comment parameter. Public exploit disclosure confirmed through GitHub repository reference. Vendor website reference provided but no specific advisory or patch information available in source corpus.

Official resources