PatchSiren cyber security CVE debrief
CVE-2026-9476 Totolink CVE debrief
A command injection vulnerability exists in the Totolink A8000RU wireless router firmware version 7.1cu.643_b20200521. The vulnerability resides in the `setPasswordCfg` function within the `/cgi-bin/cstecgi.cgi` endpoint of the web management interface. The `admpass` parameter accepts unsanitized input that is passed to a shell command, enabling remote attackers to execute arbitrary operating system commands without authentication. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no required privileges, and no user interaction, with high impact to confidentiality, integrity, and availability. The exploit has been publicly disclosed and is marked as proof-of-concept available. The vulnerability was published to CVE on 2026-05-25 and last modified on 2026-05-26. No CISA KEV listing is present. Vendor attribution to Totolink is supported by reference links to the vendor domain, though the CNA-assigned vendor field remains marked for review.
- Vendor
- Totolink
- Product
- A8000RU
- CVSS
- HIGH 8.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-25
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-25
- Advisory updated
- 2026-05-26
Who should care
Network administrators managing Totolink A8000RU deployments; security teams responsible for SOHO and small business router infrastructure; incident response teams monitoring for IoT/router exploitation campaigns
Technical summary
The Totolink A8000RU firmware 7.1cu.643_b20200521 contains an unauthenticated OS command injection vulnerability in the web management interface. The `/cgi-bin/cstecgi.cgi` endpoint's `setPasswordCfg` function passes the `admpass` parameter directly to shell execution without proper sanitization. Attackers can inject shell metacharacters to execute arbitrary commands with root privileges on the underlying Linux-based router operating system. The vulnerability is remotely exploitable without credentials and requires no user interaction.
Defensive priority
high
Recommended defensive actions
- Immediately restrict access to the web management interface of affected Totolink A8000RU devices; disable WAN-side administration and limit access to trusted management networks only
- Apply firmware updates from Totolink if available; verify patch version addresses the setPasswordCfg command injection vulnerability
- Deploy network segmentation to isolate affected routers from critical internal infrastructure
- Monitor for suspicious requests to /cgi-bin/cstecgi.cgi containing shell metacharacters in the admpass parameter
- Consider replacing affected devices if vendor patches are not forthcoming given public exploit availability
Evidence notes
Vulnerability description sourced from NVD record with CVSS 4.0 vector. Weaknesses identified as CWE-77 (Command Injection) and CWE-78 (OS Command Injection). Public exploit availability confirmed through Vuldb submission and analysis references. Vendor identification derived from reference domain analysis with low confidence flag requiring review.
Official resources
public