CVE-2026-9475 Overview
CVE-2026-9475 is an operating system command injection vulnerability affecting Totolink A8000RU routers running firmware version 7.1cu.643_b20200521. The flaw resides in the setIpQosRules function of the /cgi-bin/cstecgi.cgi endpoint within the Web Management Interface. Attackers manipulate the Comment argument to inject arbitrary operating system commands. Remote exploitation requires no authentication or user interaction. A public proof-of-concept has been released, raising the likelihood of opportunistic attacks against exposed devices.
Critical Impact
Unauthenticated remote attackers can execute arbitrary OS commands on affected Totolink A8000RU routers, leading to full device compromise and pivoting into internal networks.
Affected Products
- Totolink A8000RU router
- Firmware version 7.1cu.643_b20200521
- Web Management Interface component (/cgi-bin/cstecgi.cgi)
Discovery Timeline
- 2026-05-25 - CVE-2026-9475 published to NVD
- 2026-05-26 - Last updated in NVD database
Technical Details for CVE-2026-9475
Vulnerability Analysis
The vulnerability is classified as OS command injection [CWE-77]. It is reachable over the network without authentication, and the public disclosure of a proof-of-concept increases exploitation risk. The EPSS model places exploitation likelihood in the upper quartile of all tracked CVEs, consistent with widely targeted embedded device flaws.
The setIpQosRules handler in cstecgi.cgi processes user-supplied parameters from the Web Management Interface. The Comment parameter is incorporated into a shell command construction path without proper sanitization or argument escaping. Attackers append shell metacharacters such as ;, |, or backticks to break out of the intended string context and execute attacker-controlled commands under the privileges of the web server process, which on consumer routers is typically root.
Root Cause
The root cause is improper neutralization of special elements used in an OS command. The setIpQosRules function passes the Comment argument to a system shell invocation without filtering shell metacharacters or using parameterized execution. This pattern is common in MIPS-based consumer router firmware where CGI handlers call system(), popen(), or equivalent functions with concatenated user input.
Attack Vector
An attacker sends a crafted HTTP POST request to /cgi-bin/cstecgi.cgi targeting the setIpQosRules topicurl with a malicious Comment value. Because the Web Management Interface is often exposed on the LAN by default and sometimes on the WAN, exploitation can be performed remotely without credentials. Successful exploitation grants command execution with elevated privileges, enabling persistence, botnet recruitment, DNS hijacking, or lateral movement to clients behind the router.
No verified exploit code is reproduced here. Technical details and a proof-of-concept walkthrough are published in the GitHub PoC repository and VulDB #365456.
Detection Methods for CVE-2026-9475
Indicators of Compromise
- HTTP POST requests to /cgi-bin/cstecgi.cgi containing the setIpQosRules topicurl and shell metacharacters (;, |, &, `, $() in the Comment field
- Outbound connections from the router to unfamiliar hosts on ports 4444, 1337, or other common reverse-shell ports
- New or modified files in /tmp, /var/tmp, or NVRAM persistence locations on the device
- Unexpected DNS configuration changes on the router or in DHCP-issued settings to clients
Detection Strategies
- Inspect HTTP request bodies destined to cstecgi.cgi for shell metacharacters within parameter values, not just URL paths
- Correlate router management-plane traffic with subsequent outbound connections from the router itself to flag command execution
- Monitor for repeated setIpQosRules requests from external or unusual internal sources
Monitoring Recommendations
- Forward router syslog and web access logs to a centralized SIEM and alert on POSTs to cstecgi.cgi
- Baseline normal egress from network infrastructure devices and alert on deviations
- Track firmware versions across the fleet to identify devices still running 7.1cu.643_b20200521
How to Mitigate CVE-2026-9475
Immediate Actions Required
- Disable remote (WAN-side) administration on all Totolink A8000RU devices until a patched firmware is available
- Restrict access to the Web Management Interface to a dedicated management VLAN or trusted host
- Change administrative credentials and audit router configuration for unauthorized QoS rules, DNS overrides, or port forwards
- Replace end-of-life or unsupported Totolink devices in environments handling sensitive traffic
Patch Information
At the time of publication, no vendor advisory or fixed firmware release has been linked in the CVE record. Monitor the Totolink official site for firmware updates addressing the setIpQosRules command injection.
Workarounds
- Block inbound access to TCP ports 80 and 443 on the router's WAN interface using upstream firewall rules
- Apply ACLs on the LAN side to restrict /cgi-bin/cstecgi.cgi access to specific administrator workstations
- Place the router behind a network segment that filters HTTP requests containing shell metacharacters in POST bodies
# Example upstream firewall rule to block WAN access to router HTTP/HTTPS management
iptables -I FORWARD -p tcp -d <router_wan_ip> --dport 80 -j DROP
iptables -I FORWARD -p tcp -d <router_wan_ip> --dport 443 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
