CVE-2026-9475
CriticalSummary
A vulnerability CVE-2026-9475 was identified in the Totolink A8000RU 7.1cu.643_b20200521, allowing OS command injection through manipulation of the Comment argument in the setIpQosRules function of the /cgi-bin/cstecgi.cgi file. Remote exploitation is possible, and the exploit has been publicly disclosed.
Risk Assessment
The organization may be exposed to remote attacks that could lead to device takeover or data leakage. Exploitation of this vulnerability could result in serious security implications for the network.
Recommendation
It is recommended to update the device firmware to the latest version that addresses this vulnerability. Additionally, access to the management interface should be restricted to trusted IP addresses.
Original NVD description (English source)
A vulnerability was determined in Totolink A8000RU 7.1cu.643_b20200521. This affects the function setIpQosRules of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. This manipulation of the argument Comment causes os command injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized.

