CVE-2026-9432
Published: 25 May 2026
Summary
CVE-2026-9432 is a high-severity Command Injection (CWE-77) vulnerability in Totolink A8000RU (inferred from references). Its CVSS base score is 8.9 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 25.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
A security flaw has been discovered in Totolink A8000RU 7.1cu.643_b20200521. This vulnerability affects the function setWiFiAdvancedCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. The manipulation of the argument bgProtection results in os command injection. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks.
Remote unauthenticated attackers can target the web management interface to supply crafted input to the bgProtection parameter, resulting in execution of arbitrary operating system commands on the device. Successful exploitation grants attackers the ability to compromise the router's confidentiality, integrity, and availability with high impact.
Public references include a detailed proof-of-concept on GitHub along with Vuldb entries that document the issue, while the vendor site for Totolink is listed without accompanying patch or mitigation guidance in the available materials. The EPSS score remains flat at 0.0125 with no observed increase after disclosure.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-31637
Vulnerability details
A security flaw has been discovered in Totolink A8000RU 7.1cu.643_b20200521. This vulnerability affects the function setWiFiAdvancedCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. The manipulation of the argument bgProtection results in os command injection. The attack can…
more
be launched remotely. The exploit has been released to the public and may be used for attacks.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote OS command injection in web management interface directly enables T1190 (public app exploit) and Unix shell command execution via T1059.004.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of the bgProtection parameter to block OS command injection via the web CGI function.
Enforces authentication and authorization on the /cgi-bin/cstecgi.cgi management interface before any function such as setWiFiAdvancedCfg can be invoked.
Restricts remote network access to the device web interface, reducing the attack surface for unauthenticated command-injection attempts.