Skip to main content

Totolink A8000RU CVE-2026-9457

| EUVDEUVD-2026-31677 HIGH
OS Command Injection (CWE-78)
2026-05-25 VulDB GHSA-87p8-wpqj-3j8j
8.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.9 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
CVE Published
Jun 22, 2026 - 06:03 cve.org
HIGH 8.9
Analysis Generated
Jun 08, 2026 - 09:42 vuln.today
Severity Changed
May 26, 2026 - 19:07 NVD
CRITICAL HIGH
CVSS changed
May 26, 2026 - 19:07 NVD
9.8 (CRITICAL) 8.9 (HIGH)

DescriptionCVE.org

A vulnerability was determined in Totolink A8000RU 7.1cu.643_b20200521. The affected element is the function UploadFirmwareFile of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. This manipulation of the argument FileName causes os command injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized.

AnalysisAI

OS command injection in Totolink A8000RU router firmware 7.1cu.643_b20200521 allows remote unauthenticated attackers to execute arbitrary operating system commands by manipulating the FileName argument in the UploadFirmwareFile function of /cgi-bin/cstecgi.cgi. Publicly available exploit code exists per VulDB reporting, and SSVC rates this as automatable with total technical impact, though EPSS remains modest at 0.89% (76th percentile) indicating no broad mass-exploitation campaign yet observed.

Technical ContextAI

The affected component is the Web Management Interface CGI handler (cstecgi.cgi) on the Totolink A8000RU, a consumer/SOHO router. CWE-78 (Improper Neutralization of Special Elements used in an OS Command) applies because the UploadFirmwareFile function passes the user-supplied FileName parameter into a shell or system() call without proper sanitization, allowing shell metacharacters to break out of the intended command context. CPE cpe:2.3:a:totolink:a8000ru:*:*:*:*:*:*:*:* identifies the affected device family, with EUVD specifically pinning firmware build 7.1cu.643_b20200521. Totolink's cstecgi.cgi binary is a well-known recurring source of command injection issues across the vendor's product line.

RemediationAI

No vendor-released patch identified at time of analysis - Totolink has not published a fixed firmware version in the references provided, and the only advisories are third-party (VulDB) submissions. Until the vendor issues an updated firmware build, administrators should disable remote (WAN-side) access to the Web Management Interface entirely, restrict LAN-side access to the /cgi-bin/cstecgi.cgi endpoint via firewall ACLs to a dedicated management host or VLAN, and segment the router away from untrusted clients (IoT, guest Wi-Fi); the trade-off is loss of convenient remote administration and added complexity for legitimate admins. Monitor https://www.totolink.net/ and https://vuldb.com/vuln/365438 for an updated firmware release, and as a longer-term control consider replacing the device with a model receiving active security support if no patch materializes.

CVE-2026-9436 HIGH POC
8.9 May 25

OS command injection in Totolink A8000RU router firmware 7.1cu.643_b20200521 allows remote unauthenticated attackers to

CVE-2026-9478 HIGH POC
8.9 May 25

OS command injection in the Totolink A8000RU router (firmware 7.1cu.643_b20200521) allows remote unauthenticated attacke

CVE-2026-9477 HIGH POC
8.9 May 25

OS command injection in the Totolink A8000RU router (firmware 7.1cu.643_b20200521) allows remote unauthenticated attacke

CVE-2026-9476 HIGH POC
8.9 May 25

OS command injection in the Totolink A8000RU router (firmware 7.1cu.643_b20200521) allows remote unauthenticated attacke

CVE-2026-9475 HIGH POC
8.9 May 25

OS command injection in the Totolink A8000RU router (firmware 7.1cu.643_b20200521) allows unauthenticated remote attacke

CVE-2026-9458 HIGH POC
8.9 May 25

Remote OS command injection in the Totolink A8000RU router (firmware 7.1cu.643_b20200521) allows unauthenticated attacke

CVE-2026-9456 HIGH POC
8.9 May 25

Remote OS command injection in TOTOLINK A8000RU router firmware 7.1cu.643_b20200521 allows unauthenticated attackers to

CVE-2026-9455 HIGH POC
8.9 May 25

OS command injection in TOTOLINK A8000RU router firmware 7.1cu.643_b20200521 allows remote unauthenticated attackers to

CVE-2026-9454 HIGH POC
8.9 May 25

OS command injection in the Totolink A8000RU router (firmware 7.1cu.643_b20200521) allows remote unauthenticated attacke

CVE-2026-9435 HIGH POC
8.9 May 25

OS command injection in Totolink A8000RU router firmware 7.1cu.643_b20200521 allows remote unauthenticated attackers to

CVE-2026-9434 HIGH POC
8.9 May 25

OS command injection in the Totolink A8000RU router (firmware 7.1cu.643_b20200521) allows unauthenticated remote attacke

CVE-2026-9433 HIGH POC
8.9 May 25

OS command injection in the Totolink A8000RU router (firmware 7.1cu.643_b20200521) allows remote unauthenticated attacke

Share

CVE-2026-9457 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy