24 Critical OS Command Injection CVEs Disclosed in Totolink A8000RU Router, No Patch Available
Twenty-four critical-severity OS command injection vulnerabilities were disclosed in the Totolink A8000RU router's web management interface, all unauthenticated and with public exploit code, but no firmware patch has been released.
A massive batch of 24 critical-severity vulnerabilities landed for the Totolink A8000RU router between May 24 and May 25, 2026, every single one an unauthenticated OS command injection flaw in the device's web management interface. All CVEs carry a CVSSv3 score of 9.8 and target firmware version 7.1cu.643_b20200521, making this one of the largest same-batch disclosures for a single consumer router model in recent memory.
Every vulnerability shares the same core mechanism: the CGI endpoint /cgi-bin/cstecgi.cgi fails to sanitize user-supplied arguments before passing them to operating system commands. An attacker who can reach the router's web interface — either from the LAN side or, if remote management is enabled, from the WAN — can inject arbitrary OS commands by sending crafted HTTP requests. The sheer breadth of affected functions means that nearly every configuration page in the router's admin panel is a potential entry point.
The 24 CVEs can be grouped by the router function they compromise. Several target network configuration handlers: CVE-2026-9458 (setWanCfg, argument enabled), CVE-2026-9436 (setL2tpServerCfg, argument enable), CVE-2026-9435 (setQosCfg, argument enable), CVE-2026-9404 (setDdnsCfg, argument provider), and CVE-2026-9456 (setOpenVpnCfg, argument enabled). Others hit security and access-control features: CVE-2026-9478 (setParentalRules, argument enable), CVE-2026-9433 (setMacFilterRules, argument enable), CVE-2026-9408 (setStaticDhcpRules, argument enable), CVE-2026-9407 (setFirewallType, argument firewallType), and CVE-2026-9477 (setAccessDeviceCfg, argument mac).
WiFi and device configuration functions are also widely affected. CVE-2026-9434 (setWiFiWpsCfg, argument wscDisabled), CVE-2026-9432 (setWiFiAdvancedCfg, argument bgProtection), CVE-2026-9476 (setPasswordCfg, argument admpass), CVE-2026-9406 (setRemoteCfg, argument enable), and CVE-2026-9386 (setLanguageCfg, argument lang) all allow command injection through their respective parameters. Diagnostic and maintenance functions are equally vulnerable: CVE-2026-9384 (setDiagnosisCfg, argument ip), CVE-2026-9385 (setTracerouteCfg, argument command), CVE-2026-9387 (setUpgradeFW, argument resetFlags), and CVE-2026-9388 (setScheduleCfg, argument mode). File upload handlers are not spared either — CVE-2026-9457 (UploadFirmwareFile, argument FileName) and CVE-2026-9455 (UploadOpenVpnCert, argument FileName) allow injection through filename parameters. Rounding out the batch are CVE-2026-9475 (setIpQosRules, argument Comment), CVE-2026-9454 (setOpenVpnCertGenerationCfg, argument servername), and CVE-2026-9405 (setGameSpeedCfg, argument enable).
The exploit status is notable: the descriptions for all 24 CVEs indicate that exploit code has been made public or is otherwise available. With a CVSSv3 score of 9.8, these are pre-authentication vulnerabilities — an attacker does not need valid admin credentials to exploit them. The attack vector is network-based, the complexity is low, and no user interaction is required. A successful exploit grants the attacker arbitrary command execution on the router's underlying operating system, which can lead to full device compromise, network pivoting, data exfiltration, or use of the device in botnet operations.
As of the disclosure date, Totolink has not released a patched firmware version for the A8000RU. The affected firmware build is 7.1cu.643_b20200521, dated May 21, 2020 — meaning this codebase has been unpatched for over six years. Users of the A8000RU should immediately disable remote management access from the WAN side if it is enabled, restrict LAN access to the admin interface to trusted devices only, and monitor Totolink's support portal for a firmware update. Given the age of the firmware and the volume of vulnerabilities, a complete firmware rebuild addressing input sanitization across the entire CGI interface is warranted.
This batch underscores a recurring problem in the consumer router market: firmware that goes years without security maintenance, accumulating dozens of identical bug classes across different handler functions. The Totolink A8000RU joins a long list of SOHO router models where a single code review of the CGI argument parsing would have prevented an entire disclosure event of this magnitude. Users should treat this device as high-risk until a patched firmware is confirmed available.