Which versions of Totolink A8000RU are affected by CVE-2026-9406?

The Totolik A8000RU router (firmware 7.1cu.643_b20200521) contains an unauthenticated remote command injection vulnerability (CVE-2026-9406, CVSS 8.9) that allows attackers to execute arbitrary…

Is there a public PoC exploit available for CVE-2026-9406?

Yes, a public proof-of-concept exploit is available for CVE-2026-9406. Prioritise patching immediately. EPSS: 0.9%.

How to fix or mitigate CVE-2026-9406?

Within 24 hours: Conduct asset discovery to identify all Totolik A8000RU units (particularly firmware 7.1cu.643_b20200521) connected to networks with internet-facing management access; immediately isolate or block external access to affected devices. Within 7 days: Document inventory findings, evaluate replacement router models with active vendor security support, and audit network segmentation to contain any potential lateral movement. Within 30 days: Complete hardware replacement or deploy compensating controls (firewall rules blocking /cgi-bin/cstecgi.cgi access, segment router onto isolated management VLAN, disable remote management if available via device configuration).

Totolink A8000RU CVE-2026-9406

Q: What is the CVSS score of CVE-2026-9406?

CVE-2026-9406 has a CVSS 4.0 base score of 8.9 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.9%.

EUVD-2026-31606 HIGH

OS Command Injection (CWE-78)

2026-05-24 VulDB

GHSA-wr4g-w636-jw9m

Command Injection A8000Ru

8.9

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

8.9 HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Jun 08, 2026 - 09:28 vuln.today

Severity Changed

May 26, 2026 - 19:07 NVD

CRITICAL HIGH

CVSS changed

May 26, 2026 - 19:07 NVD

9.8 (CRITICAL) 8.9 (HIGH)

DescriptionCVE.org

A weakness has been identified in Totolink A8000RU 7.1cu.643_b20200521. Affected is the function setRemoteCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Executing a manipulation of the argument enable can lead to os command injection. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks.

AnalysisAI

OS command injection in the Totolink A8000RU router (firmware 7.1cu.643_b20200521) allows remote unauthenticated attackers to execute arbitrary operating system commands via the 'enable' parameter of the setRemoteCfg function in /cgi-bin/cstecgi.cgi. Publicly available exploit code exists, raising the practical risk despite the device not being listed in CISA KEV; EPSS sits at 0.89% (76th percentile), reflecting moderate predicted exploitation likelihood.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon

Identify internet-exposed A8000RU

Delivery

Send crafted POST to /cgi-bin/cstecgi.cgi

Exploit

Inject shell metacharacters via enable parameter

Install

setRemoteCfg passes input to shell

Execute commands as root

Execute

Install persistent implant or botnet agent

Impact

Pivot to internal LAN hosts