← Back
2026-05-25 17:0CVE-2026-9476VulDB
PUBLISHED5.2Operating systemCWE-78CWE-77

Totolink A8000RU Web Management cstecgi.cgi setPasswordCfg os command injection

A vulnerability was identified in Totolink A8000RU 7.1cu.643_b20200521. This vulnerability affects the function setPasswordCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Such manipulation of the argument admpass leads to os command injection. The attack can be executed remotely. The exploit is publicly available and might be used.

Problem type

Affected products

Totolink

A8000RU

7.1cu.643_b20200521 - AFFECTED

References

VDB-365457 | Totolink A8000RU Web Management cstecgi.cgi setPasswordCfg os command injection

https://vuldb.com/vuln/365457

vdb-entrytechnical-description
VDB-365457 | CTI Indicators (IOB, IOC, TTP, IOA)

https://vuldb.com/vuln/365457/cti

signaturepermissions-required
Submit #813459 | Totolink A8000RU 7.1cu.643_b20200521 Command Injection

https://vuldb.com/submit/813459

third-party-advisory
github.com

https://github.com/Litengzheng/vuldb_new2/blob/main/A8000RU/vul_348/README.md

exploit
totolink.net

https://www.totolink.net/

product

JSON source

https://cveawg.mitre.org/api/cve/CVE-2026-9476
Click to expand
{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2026-9476",
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "dateUpdated": "2026-05-25T17:00:16.579Z",
    "dateReserved": "2026-05-24T09:15:32.636Z",
    "datePublished": "2026-05-25T17:00:16.579Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB",
        "dateUpdated": "2026-05-25T17:00:16.579Z"
      },
      "title": "Totolink A8000RU Web Management cstecgi.cgi setPasswordCfg os command injection",
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability was identified in Totolink A8000RU 7.1cu.643_b20200521. This vulnerability affects the function setPasswordCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Such manipulation of the argument admpass leads to os command injection. The attack can be executed remotely. The exploit is publicly available and might be used."
        }
      ],
      "affected": [
        {
          "vendor": "Totolink",
          "product": "A8000RU",
          "cpes": [
            "cpe:2.3:o:totolink:a8000ru_firmware:*:*:*:*:*:*:*:*"
          ],
          "modules": [
            "Web Management Interface"
          ],
          "versions": [
            {
              "version": "7.1cu.643_b20200521",
              "status": "affected"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "OS Command Injection",
              "cweId": "CWE-78",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "Command Injection",
              "cweId": "CWE-77",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://vuldb.com/vuln/365457",
          "name": "VDB-365457 | Totolink A8000RU Web Management cstecgi.cgi setPasswordCfg os command injection",
          "tags": [
            "vdb-entry",
            "technical-description"
          ]
        },
        {
          "url": "https://vuldb.com/vuln/365457/cti",
          "name": "VDB-365457 | CTI Indicators (IOB, IOC, TTP, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ]
        },
        {
          "url": "https://vuldb.com/submit/813459",
          "name": "Submit #813459 | Totolink A8000RU 7.1cu.643_b20200521 Command Injection",
          "tags": [
            "third-party-advisory"
          ]
        },
        {
          "url": "https://github.com/Litengzheng/vuldb_new2/blob/main/A8000RU/vul_348/README.md",
          "tags": [
            "exploit"
          ]
        },
        {
          "url": "https://www.totolink.net/",
          "tags": [
            "product"
          ]
        }
      ],
      "metrics": [
        {},
        {
          "cvssV3_1": {
            "version": "3.1",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL"
          }
        },
        {
          "cvssV3_0": {
            "version": "3.0",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL"
          }
        },
        {
          "cvssV2_0": {
            "version": "2.0",
            "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C/E:POC/RL:ND/RC:UR",
            "baseScore": 10
          }
        }
      ],
      "timeline": [
        {
          "time": "2026-05-24T00:00:00.000Z",
          "lang": "en",
          "value": "Advisory disclosed"
        },
        {
          "time": "2026-05-24T02:00:00.000Z",
          "lang": "en",
          "value": "VulDB entry created"
        },
        {
          "time": "2026-05-24T11:20:47.000Z",
          "lang": "en",
          "value": "VulDB entry last update"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "LtzHust2 (VulDB User)",
          "type": "reporter"
        }
      ]
    }
  }
}