Description
A vulnerability was determined in Totolink A8000RU 7.1cu.643_b20200521. This affects the function setIpQosRules of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. This manipulation of the argument Comment causes os command injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized.
Published: 2026-05-25
Score: 9.3 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The setIpQosRules function within the /cgi-bin/cstecgi.cgi web interface of the Totolink A8000RU firmware 7.1cu.643_b20200521 fails to validate the Comment parameter. This flaw allows an attacker to inject arbitrary operating‑system commands, classified as CWE‑77 and CWE‑78. Successful exploitation gives the attacker full control over the device’s operating system through the web server process.

Affected Systems

Totolink A8000RU routers running firmware version 7.1cu.643_b20200521 are affected by this vulnerability.

Risk and Exploitability

CVE‑2026‑9475 carries a CVSS v3.1 score of 9.3, indicating a critical severity. EPSS data is currently not available, so the exact probability of exploitation is unknown, but the flaw is publicly disclosed and could be applied remotely through the web interface. The attack vector is remote via HTTP requests to the setIpQosRules endpoint and, based on the description, does not require prior authentication. Though the vulnerability is not listed in the CISA KEV catalog, its high impact and availability of exploitation scripts make it a high‑priority risk.

Generated by OpenCVE AI on May 25, 2026 at 18:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware update from Totolink that resolves the command injection flaw.
  • Restrict access to the web management interface by limiting it to trusted internal networks or blocking external traffic with firewall rules.
  • Disable or remove the cstecgi.cgi endpoint or the setIpQosRules functionality if it is not required, eliminating the vulnerable code path.

Generated by OpenCVE AI on May 25, 2026 at 18:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 25 May 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Totolink a8000ru
Vendors & Products Totolink a8000ru

Mon, 25 May 2026 17:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in Totolink A8000RU 7.1cu.643_b20200521. This affects the function setIpQosRules of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. This manipulation of the argument Comment causes os command injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized.
Title Totolink A8000RU Web Management cstecgi.cgi setIpQosRules os command injection
First Time appeared Totolink
Totolink a8000ru Firmware
Weaknesses CWE-77
CWE-78
CPEs cpe:2.3:o:totolink:a8000ru_firmware:*:*:*:*:*:*:*:*
Vendors & Products Totolink
Totolink a8000ru Firmware
References
Metrics cvssV2_0

{'score': 10, 'vector': 'AV:N/AC:L/Au:N/C:C/I:C/A:C/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 9.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Totolink A8000ru A8000ru Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-25T16:45:11.115Z

Reserved: 2026-05-24T09:15:21.440Z

Link: CVE-2026-9475

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-25T19:30:15Z

Weaknesses