CVE-2026-9476
CRITICAL Exploitation: PoC
9.8
CVSS 3.1
Description
A vulnerability was identified in Totolink A8000RU 7.1cu.643_b20200521. This vulnerability affects the function setPasswordCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Such manipulation of the argument admpass leads to os command injection. The attack can be executed remotely. The exploit is publicly available and might be used.
Metadata
Severity & Metrics
9.8
CRITICAL CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R
SSVC — CISA Coordinator
Affected products (1)
| Vendor | Product | Platform | Versions |
|---|---|---|---|
| Totolink | A8000RU | — | 7.1cu.643_b20200521 |
CVSS scores (4)
| Score | Severity | Version | Source | Vector |
|---|---|---|---|---|
| 10.0 | N/D | 2.0 | cna | AV:N/AC:L/Au:N/C:C/I:C/A:C/E:POC/RL:ND/RC:UR |
| 9.8 | CRITICAL | 3.1 | cna | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R |
| 9.8 | CRITICAL | 3.0 | cna | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R |
| 9.3 | CRITICAL | 4.0 | cna | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P |
References (5)
- VDB-365457 | Totolink A8000RU Web Management cstecgi.cgi setPasswordCfg os command injection https://vuldb.com/vuln/365457
- VDB-365457 | CTI Indicators (IOB, IOC, TTP, IOA) https://vuldb.com/vuln/365457/cti
- Submit #813459 | Totolink A8000RU 7.1cu.643_b20200521 Command Injection https://vuldb.com/submit/813459
- https://github.com/Litengzheng/vuldb_new2/blob/main/A8000RU/vul_348/README.md
- https://www.totolink.net/