CVE-2026-9385
Published: 24 May 2026
Summary
CVE-2026-9385 is a high-severity Command Injection (CWE-77) vulnerability in Totolink A8000RU (inferred from references). Its CVSS base score is 8.9 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 25.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
A vulnerability was identified in the Totolink A8000RU router running firmware version 7.1cu.643_b20200521. The issue resides in the setTracerouteCfg function within the /cgi-bin/cstecgi.cgi file of the web management interface, where improper handling of the command argument enables OS command injection. The flaw is tracked under CWE-77 and CWE-78 and carries a CVSS 4.0 score of 8.9, reflecting network-accessible attack conditions with no required authentication or user interaction.
Remote, unauthenticated attackers can supply crafted input to the affected parameter and execute arbitrary operating system commands on the device. Successful exploitation grants full control over confidentiality, integrity, and availability of the router, consistent with the high-severity vector metrics.
The exploit has been publicly disclosed, with technical details hosted on GitHub and Vuldb. The EPSS score remains flat at 0.0125 with no observed rise after publication. The vendor site is referenced but no specific patch or mitigation guidance is provided in the available references.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-31597
Vulnerability details
A vulnerability was determined in Totolink A8000RU 7.1cu.643_b20200521. This issue affects the function setTracerouteCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. This manipulation of the argument command causes os command injection. The attack is possible to be…
more
carried out remotely. The exploit has been publicly disclosed and may be utilized.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote command injection in web management interface directly enables T1190 exploitation and Unix shell command execution via T1059.004.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of the untrusted 'command' argument passed to setTracerouteCfg, blocking the OS command injection vector.
Enforces access-control policy on the web management interface so that unauthenticated remote callers cannot invoke setTracerouteCfg at all.
Restricts network reachability of the management CGI endpoint to trusted sources, reducing the remote unauthenticated attack surface described in the CVE.