Skip to main content
CVE Vulnerability Database

CVE-2026-9475: Totolink A8000RU RCE Vulnerability

CVE-2026-9475 is a remote code execution vulnerability in Totolink A8000RU routers that allows attackers to execute OS commands via the web interface. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-9475 Overview

CVE-2026-9475 is an operating system command injection vulnerability affecting Totolink A8000RU routers running firmware version 7.1cu.643_b20200521. The flaw resides in the setIpQosRules function of the /cgi-bin/cstecgi.cgi endpoint within the Web Management Interface. Attackers manipulate the Comment argument to inject arbitrary operating system commands. Remote exploitation requires no authentication or user interaction. A public proof-of-concept has been released, raising the likelihood of opportunistic attacks against exposed devices.

Critical Impact

Unauthenticated remote attackers can execute arbitrary OS commands on affected Totolink A8000RU routers, leading to full device compromise and pivoting into internal networks.

Affected Products

  • Totolink A8000RU router
  • Firmware version 7.1cu.643_b20200521
  • Web Management Interface component (/cgi-bin/cstecgi.cgi)

Discovery Timeline

  • 2026-05-25 - CVE-2026-9475 published to NVD
  • 2026-05-26 - Last updated in NVD database

Technical Details for CVE-2026-9475

Vulnerability Analysis

The vulnerability is classified as OS command injection [CWE-77]. It is reachable over the network without authentication, and the public disclosure of a proof-of-concept increases exploitation risk. The EPSS model places exploitation likelihood in the upper quartile of all tracked CVEs, consistent with widely targeted embedded device flaws.

The setIpQosRules handler in cstecgi.cgi processes user-supplied parameters from the Web Management Interface. The Comment parameter is incorporated into a shell command construction path without proper sanitization or argument escaping. Attackers append shell metacharacters such as ;, |, or backticks to break out of the intended string context and execute attacker-controlled commands under the privileges of the web server process, which on consumer routers is typically root.

Root Cause

The root cause is improper neutralization of special elements used in an OS command. The setIpQosRules function passes the Comment argument to a system shell invocation without filtering shell metacharacters or using parameterized execution. This pattern is common in MIPS-based consumer router firmware where CGI handlers call system(), popen(), or equivalent functions with concatenated user input.

Attack Vector

An attacker sends a crafted HTTP POST request to /cgi-bin/cstecgi.cgi targeting the setIpQosRules topicurl with a malicious Comment value. Because the Web Management Interface is often exposed on the LAN by default and sometimes on the WAN, exploitation can be performed remotely without credentials. Successful exploitation grants command execution with elevated privileges, enabling persistence, botnet recruitment, DNS hijacking, or lateral movement to clients behind the router.

No verified exploit code is reproduced here. Technical details and a proof-of-concept walkthrough are published in the GitHub PoC repository and VulDB #365456.

Detection Methods for CVE-2026-9475

Indicators of Compromise

  • HTTP POST requests to /cgi-bin/cstecgi.cgi containing the setIpQosRules topicurl and shell metacharacters (;, |, &, `, $() in the Comment field
  • Outbound connections from the router to unfamiliar hosts on ports 4444, 1337, or other common reverse-shell ports
  • New or modified files in /tmp, /var/tmp, or NVRAM persistence locations on the device
  • Unexpected DNS configuration changes on the router or in DHCP-issued settings to clients

Detection Strategies

  • Inspect HTTP request bodies destined to cstecgi.cgi for shell metacharacters within parameter values, not just URL paths
  • Correlate router management-plane traffic with subsequent outbound connections from the router itself to flag command execution
  • Monitor for repeated setIpQosRules requests from external or unusual internal sources

Monitoring Recommendations

  • Forward router syslog and web access logs to a centralized SIEM and alert on POSTs to cstecgi.cgi
  • Baseline normal egress from network infrastructure devices and alert on deviations
  • Track firmware versions across the fleet to identify devices still running 7.1cu.643_b20200521

How to Mitigate CVE-2026-9475

Immediate Actions Required

  • Disable remote (WAN-side) administration on all Totolink A8000RU devices until a patched firmware is available
  • Restrict access to the Web Management Interface to a dedicated management VLAN or trusted host
  • Change administrative credentials and audit router configuration for unauthorized QoS rules, DNS overrides, or port forwards
  • Replace end-of-life or unsupported Totolink devices in environments handling sensitive traffic

Patch Information

At the time of publication, no vendor advisory or fixed firmware release has been linked in the CVE record. Monitor the Totolink official site for firmware updates addressing the setIpQosRules command injection.

Workarounds

  • Block inbound access to TCP ports 80 and 443 on the router's WAN interface using upstream firewall rules
  • Apply ACLs on the LAN side to restrict /cgi-bin/cstecgi.cgi access to specific administrator workstations
  • Place the router behind a network segment that filters HTTP requests containing shell metacharacters in POST bodies
bash
# Example upstream firewall rule to block WAN access to router HTTP/HTTPS management
iptables -I FORWARD -p tcp -d <router_wan_ip> --dport 80 -j DROP
iptables -I FORWARD -p tcp -d <router_wan_ip> --dport 443 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.