CVE-2026-9434
Published: 25 May 2026
Summary
CVE-2026-9434 is a high-severity Command Injection (CWE-77) vulnerability in Totolink A8000RU (inferred from references). Its CVSS base score is 8.9 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 25.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-3 (Access Enforcement).
Deeper analysis
A security vulnerability has been detected in the Totolink A8000RU router running firmware version 7.1cu.643_b20200521. The issue resides in the setWiFiWpsCfg function of the /cgi-bin/cstecgi.cgi file within the Web Management Interface component. Manipulation of the wscDisabled argument enables OS command injection, as indicated by the associated CWE-77 and CWE-78 classifications and an 8.9 CVSS 4.0 score reflecting network-accessible impact on confidentiality, integrity, and availability.
The attack may be launched remotely by an unauthenticated adversary who supplies crafted input to the affected parameter, resulting in arbitrary operating system command execution on the device. A public exploit for this vulnerability has already been disclosed and could be leveraged by threat actors.
The provided references point to a GitHub repository containing technical details, multiple Vuldb entries, and the vendor site, though no specific patch or mitigation guidance is described in the available information. The EPSS score remains flat at 0.0125 with no observed increase following disclosure.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-31640
Vulnerability details
A security vulnerability has been detected in Totolink A8000RU 7.1cu.643_b20200521. Impacted is the function setWiFiWpsCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Such manipulation of the argument wscDisabled leads to os command injection. The attack may be…
more
launched remotely. The exploit has been disclosed publicly and may be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct OS command injection in publicly exposed web management CGI endpoint enables remote exploitation of the application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of the wscDisabled argument in setWiFiWpsCfg before it is passed to the OS, blocking the command-injection payload.
Enforces authorization checks on the /cgi-bin/cstecgi.cgi endpoint so that unauthenticated remote callers cannot invoke setWiFiWpsCfg at all.
Boundary-protection mechanisms can restrict or deny external network access to the router's web management interface, eliminating the remote attack vector.