{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-9475/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-9475"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["A8000RU 7.1cu.643_b20200521"],"_cs_severities":["critical"],"_cs_tags":["command injection","router vulnerability","CVE-2026-9475"],"_cs_type":"threat","_cs_vendors":["Totolink"],"content_html":"\u003cp\u003eA critical command injection vulnerability, CVE-2026-9475, affects Totolink A8000RU router version 7.1cu.643_b20200521. The vulnerability lies within the Web Management Interface component, specifically in the \u003ccode\u003e/cgi-bin/cstecgi.cgi\u003c/code\u003e file\u0026rsquo;s \u003ccode\u003esetIpQosRules\u003c/code\u003e function. By manipulating the \u003ccode\u003eComment\u003c/code\u003e argument, an unauthenticated attacker can inject and execute arbitrary operating system commands on the underlying system. Public exploits are available, increasing the risk of widespread exploitation. Successful exploitation allows for complete system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable Totolink A8000RU router running firmware version 7.1cu.643_b20200521.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a crafted HTTP request to the \u003ccode\u003e/cgi-bin/cstecgi.cgi\u003c/code\u003e endpoint, targeting the \u003ccode\u003esetIpQosRules\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe HTTP request includes a malicious payload within the \u003ccode\u003eComment\u003c/code\u003e argument designed to inject OS commands.\u003c/li\u003e\n\u003cli\u003eThe web server processes the request and passes the \u003ccode\u003eComment\u003c/code\u003e argument to the vulnerable \u003ccode\u003esetIpQosRules\u003c/code\u003e function without proper sanitization.\u003c/li\u003e\n\u003cli\u003eThe injected OS commands are executed with the privileges of the web server process.\u003c/li\u003e\n\u003cli\u003eThe attacker gains remote code execution on the router.\u003c/li\u003e\n\u003cli\u003eThe attacker can then perform actions such as modifying router configurations, installing backdoors, or pivoting to other devices on the network.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves complete control over the compromised router.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-9475 results in complete compromise of the Totolink A8000RU router. An attacker can gain full control of the device, potentially leading to data theft, network disruption, or use of the router as part of a botnet. Given the ease of exploitation and the availability of public exploits, a large number of devices could be targeted, impacting both home and small business networks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the vendor patch as soon as it becomes available.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests to \u003ccode\u003e/cgi-bin/cstecgi.cgi\u003c/code\u003e with unusual characters in the \u003ccode\u003eComment\u003c/code\u003e parameter, as detected by the Sigma rule \u0026ldquo;Detect CVE-2026-9475 Exploitation Attempt via Web Logs\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eImplement network intrusion detection system (IDS) rules to detect and block exploitation attempts targeting CVE-2026-9475.\u003c/li\u003e\n\u003cli\u003eDisable remote administration access to the router to limit the attack surface.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect CVE-2026-9475 Command Injection via Process Creation\u0026rdquo; to identify processes spawned from the web server with injected commands.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-26T14:04:07Z","date_published":"2026-05-26T14:04:07Z","id":"https://feed.craftedsignal.io/briefs/2026-05-totolink-command-injection/","summary":"Totolink A8000RU version 7.1cu.643_b20200521 is vulnerable to remote OS command injection via manipulation of the Comment argument in the setIpQosRules function, allowing unauthenticated attackers to execute arbitrary commands on the device.","title":"Totolink A8000RU Command Injection Vulnerability (CVE-2026-9475)","url":"https://feed.craftedsignal.io/briefs/2026-05-totolink-command-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — CVE-2026-9475","version":"https://jsonfeed.org/version/1.1"}