Skip to content
Threat Feed
critical advisory

CVE-2026-9456 - Totolink A8000RU Remote Command Injection

Totolink A8000RU version 7.1cu.643_b20200521 is vulnerable to remote command injection via the setOpenVpnCfg function, allowing unauthenticated attackers to execute arbitrary commands on the device.

CVE-2026-9456 describes a critical vulnerability affecting Totolink A8000RU router version 7.1cu.643_b20200521. The vulnerability resides within the Web Management Interface, specifically in the setOpenVpnCfg function located in /cgi-bin/cstecgi.cgi. By manipulating the enabled argument, an unauthenticated attacker can inject and execute arbitrary OS commands on the underlying system. This vulnerability is remotely exploitable and has a published exploit, making it a significant risk for exposed devices. Given the high CVSS score of 9.8, immediate action is warranted to prevent potential compromise.

Attack Chain

  1. The attacker sends a crafted HTTP request to the /cgi-bin/cstecgi.cgi endpoint.
  2. The request targets the setOpenVpnCfg function.
  3. The attacker injects malicious OS commands within the enabled argument of the request.
  4. The setOpenVpnCfg function processes the request without proper sanitization of the enabled argument.
  5. The injected OS commands are executed by the system.
  6. The attacker gains arbitrary code execution on the router.
  7. The attacker can then perform actions such as modifying router settings, intercepting network traffic, or using the router as a pivot point for further attacks within the network.

Impact

Successful exploitation of CVE-2026-9456 allows a remote, unauthenticated attacker to execute arbitrary commands on the affected Totolink A8000RU router. This can lead to a full compromise of the device, potentially enabling attackers to monitor network traffic, modify router configurations, or use the compromised device as a launchpad for attacks on other devices within the network. Given the availability of a public exploit, the risk of widespread exploitation is high.

Recommendation

  • Apply available patches or firmware updates from Totolink to remediate CVE-2026-9456 (reference: affected_products).
  • Deploy the Sigma rules provided below to detect exploitation attempts targeting the setOpenVpnCfg function (reference: rules).
  • Monitor web server logs for suspicious POST requests to /cgi-bin/cstecgi.cgi containing shell metacharacters in the enabled parameter (reference: rules, logsource: webserver).
  • If patching is not immediately feasible, consider implementing network segmentation to limit the potential impact of a compromised router.

Detection coverage 2

Detects CVE-2026-9456 Exploitation — Totolink setOpenVpnCfg Command Injection

critical

Detects CVE-2026-9456 exploitation — Attempts to exploit command injection in the Totolink A8000RU router via the setOpenVpnCfg function.

sigma tactics: execution, initial_access techniques: T1059.004 sources: webserver

Detects CVE-2026-9456 Exploitation — Totolink setOpenVpnCfg POST Request

high

Detects CVE-2026-9456 exploitation — HTTP POST request to cstecgi.cgi with setOpenVpnCfg containing shell command

sigma tactics: execution, initial_access techniques: T1059.004 sources: webserver

Detection queries are available on the platform. Get full rules →