Cyber Resilience

CVE-2026-9436

HighRCE

Published: 25 May 2026

Published
25 May 2026
Modified
26 May 2026
KEV Added
Patch
CVSS Score v4 8.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0200 78.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-9436 is a high-severity Command Injection (CWE-77) vulnerability in Totolink A8000RU (inferred from references). Its CVSS base score is 8.9 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 21.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-2 (Identification and Authentication (Organizational Users)) and SI-10 (Information Input Validation).

Deeper analysis

A flaw has been identified in the Totolink A8000RU router running firmware version 7.1cu.643_b20200521. The issue resides in the setL2tpServerCfg function within the /cgi-bin/cstecgi.cgi file of the Web Management Interface and stems from improper handling of the enable argument, resulting in operating system command injection. The vulnerability is tracked as CVE-2026-9436, carries a CVSS 4.0 score of 8.9, and is associated with CWE-77 and CWE-78.

The flaw can be exploited remotely by unauthenticated attackers who supply crafted input to the affected parameter. Successful exploitation grants the ability to execute arbitrary operating system commands, which can compromise the confidentiality, integrity, and availability of the device. An exploit for the issue has already been published.

The EPSS score for this CVE remains flat at 0.0132 with no material increase observed after disclosure. The listed references point to vulnerability submissions and a proof-of-concept repository but contain no details on vendor patches or mitigation steps.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A flaw has been found in Totolink A8000RU 7.1cu.643_b20200521. The impacted element is the function setL2tpServerCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Executing a manipulation of the argument enable can lead to os command injection. The…

more

attack can be executed remotely. The exploit has been published and may be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Remote OS command injection in web management interface directly enables exploitation of public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-9434Shared CWE-77, CWE-78
CVE-2026-9388Shared CWE-77, CWE-78
CVE-2026-7240Shared CWE-77, CWE-78
CVE-2026-9407Shared CWE-77, CWE-78
CVE-2025-9727Shared CWE-77, CWE-78
CVE-2026-9478Shared CWE-77, CWE-78
CVE-2026-9475Shared CWE-77, CWE-78
CVE-2026-7204Shared CWE-77, CWE-78
CVE-2026-2152Shared CWE-77, CWE-78
CVE-2026-5677Shared CWE-77, CWE-78

Affected Assets

Totolink
A8000RU
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of the 'enable' argument in setL2tpServerCfg to block malformed input that produces OS command injection.

prevent

Mandates identification and authentication before any access to the unauthenticated /cgi-bin/cstecgi.cgi endpoint, eliminating remote unauthenticated exploitation.

prevent

Enforces boundary protection rules that can restrict or deny external network traffic to the web management interface, limiting remote attack surface.

References