Skip to main content

TOTOLINK A8000RU CVE-2026-9408

| EUVD-2026-31609 HIGH
OS Command Injection (CWE-78)
2026-05-25 VulDB GHSA-rq43-h4ch-33gm
Command Injection A8000Ru
8.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.9 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Jun 08, 2026 - 09:40 vuln.today
Severity Changed
May 26, 2026 - 19:07 NVD
CRITICAL HIGH
CVSS changed
May 26, 2026 - 19:07 NVD
9.8 (CRITICAL) 8.9 (HIGH)

DescriptionCVE.org

A vulnerability was detected in Totolink A8000RU 7.1cu.643_b20200521. Affected by this issue is the function setStaticDhcpRules of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. The manipulation of the argument enable results in os command injection. The attack may be performed from remote. The exploit is now public and may be used.

AnalysisAI

OS command injection in the TOTOLINK A8000RU router (firmware 7.1cu.643_b20200521) allows remote unauthenticated attackers to execute arbitrary operating system commands by manipulating the 'enable' parameter passed to the setStaticDhcpRules function in /cgi-bin/cstecgi.cgi. Publicly available exploit code exists and SSVC rates this as automatable with total technical impact, though EPSS remains modest at 0.89% (76th percentile). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Scan for exposed A8000RU web interface
Delivery
Craft POST to /cgi-bin/cstecgi.cgi setStaticDhcpRules
Exploit
Inject shell metacharacters into 'enable' parameter
Execution
CGI executes commands as root
Persist
Drop persistence or backdoor binary
Impact
Pivot to LAN clients and traffic
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires network reachability to the A8000RU web management interface on firmware 7.1cu.643_b20200521 and the ability to send a request to /cgi-bin/cstecgi.cgi invoking the setStaticDhcpRules function with a malicious 'enable' argument. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H, score 8.9) indicates a network-reachable, low-complexity, unauthenticated path to full confidentiality, integrity, and availability impact on the vulnerable component, and SSVC corroborates this with Exploitation=poc, Automatable=yes, Technical Impact=total. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker scans the internet (or an adjacent network) for A8000RU devices exposing /cgi-bin/cstecgi.cgi, then sends a single crafted POST to invoke setStaticDhcpRules with shell metacharacters embedded in the 'enable' argument, causing the CGI to execute attacker-chosen commands as root. The publicly available PoC at https://github.com/Litengzheng/vuldb_new2/blob/main/A8000RU/vul_340/README.md lowers the skill bar significantly, and because SSVC flags the issue as automatable, the realistic next step is botnet-style mass enrollment (telnet/SSH backdoor, downloader payload, or DNS hijack) rather than targeted intrusion.
Remediation No vendor-released patch identified at time of analysis - neither TOTOLINK nor the VulDB/EUVD references cite a fixed firmware version, so defenders should treat this as unpatched and apply compensating controls. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all TOTOLINK A8000RU routers in your environment, document firmware versions, and audit which devices have internet-accessible management interfaces. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-9408 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy