← Back
2026-05-25 16:45CVE-2026-9475VulDB
PUBLISHED5.2Operating systemCWE-78CWE-77

Totolink A8000RU Web Management cstecgi.cgi setIpQosRules os command injection

A vulnerability was determined in Totolink A8000RU 7.1cu.643_b20200521. This affects the function setIpQosRules of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. This manipulation of the argument Comment causes os command injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized.

Problem type

Affected products

Totolink

A8000RU

7.1cu.643_b20200521 - AFFECTED

References

VDB-365456 | Totolink A8000RU Web Management cstecgi.cgi setIpQosRules os command injection

https://vuldb.com/vuln/365456

vdb-entrytechnical-description
VDB-365456 | CTI Indicators (IOB, IOC, TTP, IOA)

https://vuldb.com/vuln/365456/cti

signaturepermissions-required
Submit #813458 | Totolink A8000RU 7.1cu.643_b20200521 Command Injection

https://vuldb.com/submit/813458

third-party-advisory
github.com

https://github.com/Litengzheng/vuldb_new2/blob/main/A8000RU/vul_347/README.md

exploit
totolink.net

https://www.totolink.net/

product

JSON source

https://cveawg.mitre.org/api/cve/CVE-2026-9475
Click to expand
{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2026-9475",
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "dateUpdated": "2026-05-25T16:45:11.115Z",
    "dateReserved": "2026-05-24T09:15:21.440Z",
    "datePublished": "2026-05-25T16:45:11.115Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB",
        "dateUpdated": "2026-05-25T16:45:11.115Z"
      },
      "title": "Totolink A8000RU Web Management cstecgi.cgi setIpQosRules os command injection",
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability was determined in Totolink A8000RU 7.1cu.643_b20200521. This affects the function setIpQosRules of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. This manipulation of the argument Comment causes os command injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized."
        }
      ],
      "affected": [
        {
          "vendor": "Totolink",
          "product": "A8000RU",
          "cpes": [
            "cpe:2.3:o:totolink:a8000ru_firmware:*:*:*:*:*:*:*:*"
          ],
          "modules": [
            "Web Management Interface"
          ],
          "versions": [
            {
              "version": "7.1cu.643_b20200521",
              "status": "affected"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "OS Command Injection",
              "cweId": "CWE-78",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "Command Injection",
              "cweId": "CWE-77",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://vuldb.com/vuln/365456",
          "name": "VDB-365456 | Totolink A8000RU Web Management cstecgi.cgi setIpQosRules os command injection",
          "tags": [
            "vdb-entry",
            "technical-description"
          ]
        },
        {
          "url": "https://vuldb.com/vuln/365456/cti",
          "name": "VDB-365456 | CTI Indicators (IOB, IOC, TTP, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ]
        },
        {
          "url": "https://vuldb.com/submit/813458",
          "name": "Submit #813458 | Totolink A8000RU 7.1cu.643_b20200521 Command Injection",
          "tags": [
            "third-party-advisory"
          ]
        },
        {
          "url": "https://github.com/Litengzheng/vuldb_new2/blob/main/A8000RU/vul_347/README.md",
          "tags": [
            "exploit"
          ]
        },
        {
          "url": "https://www.totolink.net/",
          "tags": [
            "product"
          ]
        }
      ],
      "metrics": [
        {},
        {
          "cvssV3_1": {
            "version": "3.1",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL"
          }
        },
        {
          "cvssV3_0": {
            "version": "3.0",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL"
          }
        },
        {
          "cvssV2_0": {
            "version": "2.0",
            "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C/E:POC/RL:ND/RC:UR",
            "baseScore": 10
          }
        }
      ],
      "timeline": [
        {
          "time": "2026-05-24T00:00:00.000Z",
          "lang": "en",
          "value": "Advisory disclosed"
        },
        {
          "time": "2026-05-24T02:00:00.000Z",
          "lang": "en",
          "value": "VulDB entry created"
        },
        {
          "time": "2026-05-24T11:20:45.000Z",
          "lang": "en",
          "value": "VulDB entry last update"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "LtzHust (VulDB User)",
          "type": "reporter"
        }
      ]
    }
  }
}