Skip to main content

Totolink A8000RU CVE-2026-9386

| EUVDEUVD-2026-31546 HIGH
OS Command Injection (CWE-78)
2026-05-24 VulDB GHSA-p623-gg4q-6fv7
8.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.9 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
CVE Published
Jun 22, 2026 - 06:03 cve.org
HIGH 8.9
Analysis Generated
Jun 08, 2026 - 09:39 vuln.today
Severity Changed
May 26, 2026 - 19:07 NVD
CRITICAL HIGH
CVSS changed
May 26, 2026 - 19:07 NVD
9.8 (CRITICAL) 8.9 (HIGH)

DescriptionCVE.org

A vulnerability was identified in Totolink A8000RU 7.1cu.643_b20200521. Impacted is the function setLanguageCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Such manipulation of the argument lang leads to os command injection. The attack may be performed from remote. The exploit is publicly available and might be used.

AnalysisAI

OS command injection in the Totolink A8000RU router (firmware 7.1cu.643_b20200521) allows remote unauthenticated attackers to execute arbitrary operating system commands through the setLanguageCfg function in /cgi-bin/cstecgi.cgi. The flaw is triggered by manipulating the lang argument in the Web Management Interface, with publicly available exploit code existing and SSVC classifying the issue as automatable with total technical impact. EPSS sits at 0.89% (76th percentile), indicating moderate but non-trivial exploitation probability.

Technical ContextAI

The affected component is the cstecgi.cgi binary, a common CGI handler in Totolink router firmware that dispatches Web Management Interface requests to internal handler functions such as setLanguageCfg. The root cause is CWE-78 (Improper Neutralization of Special Elements used in an OS Command), meaning the lang parameter value is concatenated into a shell command without proper sanitization or use of safe execution primitives. Per the CPE (cpe:2.3:a:totolink:a8000ru), the vulnerability lives in the embedded firmware web stack of the A8000RU gigabit router, where CGI handlers typically run with root privileges, giving any successful command injection full system control.

RemediationAI

No vendor-released patch identified at time of analysis - the references point only to VulDB tracking entries, a public exploit write-up at https://github.com/Litengzheng/vuldb_new2/blob/main/A8000RU/vul_333/README.md, and the Totolink vendor site (https://www.totolink.net/) without a specific firmware fix advisory, so administrators should check Totolink's support portal for an updated firmware build superseding 7.1cu.643_b20200521. As compensating controls, disable remote (WAN-side) web management on the A8000RU so /cgi-bin/cstecgi.cgi is not reachable from the internet (trade-off: loss of remote admin convenience), restrict LAN-side access to the admin interface using ACLs or VLAN segmentation to trusted management hosts only (trade-off: added operational complexity for legitimate admins), and place the device behind a reverse proxy or firewall that blocks requests containing shell metacharacters in the lang parameter of cstecgi.cgi (trade-off: may break legitimate language switching). Consider replacing the device if no firmware update is forthcoming.

CVE-2026-9436 HIGH POC
8.9 May 25

OS command injection in Totolink A8000RU router firmware 7.1cu.643_b20200521 allows remote unauthenticated attackers to

CVE-2026-9478 HIGH POC
8.9 May 25

OS command injection in the Totolink A8000RU router (firmware 7.1cu.643_b20200521) allows remote unauthenticated attacke

CVE-2026-9477 HIGH POC
8.9 May 25

OS command injection in the Totolink A8000RU router (firmware 7.1cu.643_b20200521) allows remote unauthenticated attacke

CVE-2026-9476 HIGH POC
8.9 May 25

OS command injection in the Totolink A8000RU router (firmware 7.1cu.643_b20200521) allows remote unauthenticated attacke

CVE-2026-9475 HIGH POC
8.9 May 25

OS command injection in the Totolink A8000RU router (firmware 7.1cu.643_b20200521) allows unauthenticated remote attacke

CVE-2026-9458 HIGH POC
8.9 May 25

Remote OS command injection in the Totolink A8000RU router (firmware 7.1cu.643_b20200521) allows unauthenticated attacke

CVE-2026-9457 HIGH POC
8.9 May 25

OS command injection in Totolink A8000RU router firmware 7.1cu.643_b20200521 allows remote unauthenticated attackers to

CVE-2026-9456 HIGH POC
8.9 May 25

Remote OS command injection in TOTOLINK A8000RU router firmware 7.1cu.643_b20200521 allows unauthenticated attackers to

CVE-2026-9455 HIGH POC
8.9 May 25

OS command injection in TOTOLINK A8000RU router firmware 7.1cu.643_b20200521 allows remote unauthenticated attackers to

CVE-2026-9454 HIGH POC
8.9 May 25

OS command injection in the Totolink A8000RU router (firmware 7.1cu.643_b20200521) allows remote unauthenticated attacke

CVE-2026-9435 HIGH POC
8.9 May 25

OS command injection in Totolink A8000RU router firmware 7.1cu.643_b20200521 allows remote unauthenticated attackers to

CVE-2026-9434 HIGH POC
8.9 May 25

OS command injection in the Totolink A8000RU router (firmware 7.1cu.643_b20200521) allows unauthenticated remote attacke

Share

CVE-2026-9386 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy