CVE-2026-9478
Published: 25 May 2026
Summary
CVE-2026-9478 is a high-severity Command Injection (CWE-77) vulnerability in Totolink A8000RU (inferred from references). Its CVSS base score is 8.9 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 22.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
A weakness has been identified in the Totolink A8000RU firmware version 7.1cu.643_b20200521. The issue resides in the setParentalRules function of the /cgi-bin/cstecgi.cgi component within the Web Management Interface. Manipulation of the enable argument permits OS command injection, as indicated by the associated CWEs 77 and 78. The vulnerability is remotely exploitable without authentication and carries a CVSS 4.0 score of 8.9.
An attacker with network access can supply a crafted request to the web interface and execute arbitrary operating system commands on the device. Publicly available exploit code has been released, enabling attackers to achieve full compromise of confidentiality, integrity, and availability on affected routers.
The current and peak EPSS score remains low at 0.0125 with no material increase observed after disclosure. Reference materials point to a public exploit repository and the vendor site but contain no details on patches or specific mitigation steps.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-31712
Vulnerability details
A weakness has been identified in Totolink A8000RU 7.1cu.643_b20200521. Impacted is the function setParentalRules of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Executing a manipulation of the argument enable can lead to os command injection. The attack may…
more
be performed from remote. The exploit has been made available to the public and could be used for attacks.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote OS command injection in web management interface directly enables exploitation of public-facing application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of the 'enable' argument in setParentalRules to block OS command injection via cstecgi.cgi.
Enforces authentication and authorization checks before any web-interface function (including unauthenticated remote calls to setParentalRules) can execute.
Restricts remote access methods and requires additional controls (e.g., VPN, allow-lists) for the web management interface that exposes the vulnerable CGI endpoint.