Analyst readout for executives and security teams
Plain-English summary
A Totolink A8000RU router firmware issue lets a remote attacker run operating-system commands through the web management interface. For organizations still using this model and firmware, the risk is severe because compromise of a router can expose traffic, credentials, internal networks, and availability.
Executive priority
Treat as urgent for any exposed or business-critical A8000RU router. Prioritize inventory and isolation first, then vendor remediation or replacement. The business risk is high because successful router compromise can undermine network trust and availability.
Technical view
CVE-2026-9384 affects Totolink A8000RU firmware 7.1cu.643_b20200521. The setDiagnosisCfg function in /cgi-bin/cstecgi.cgi mishandles the ip argument, causing OS command injection. CVSS v2 is 10.0: network reachable, low complexity, no authentication, complete confidentiality, integrity, and availability impact. Sources map it to CWE-77 and CWE-78.
Likely exposure
Exposure is most likely where Totolink A8000RU web management is reachable from untrusted networks, especially internet-facing administration. The source bundle names only firmware 7.1cu.643_b20200521, so do not assume other models or versions are affected without vendor evidence.
Exploitation context
The source bundle says exploit material has been made public and could be used. It does not provide KEV confirmation or another cited source proving active exploitation in the wild, so active exploitation should not be claimed from this evidence alone.
Researcher notes
Evidence supports a remotely reachable OS command injection in the Web Management Interface, specifically setDiagnosisCfg and the ip argument. Public PoC availability is cited, but KEV is false and fix status is not named. Avoid expanding affected scope beyond the stated firmware without additional vendor confirmation.
Mitigation direction
- Identify any Totolink A8000RU devices and firmware versions in use.
- Remove web management access from the internet and untrusted networks.
- Check Totolink guidance for firmware updates, advisories, or replacement direction.
- Restrict administration to trusted management networks and authenticated VPN paths.
- Replace unsupported exposed devices if no vendor fix is available.
Validation and detection
- Confirm whether any A8000RU runs firmware 7.1cu.643_b20200521.
- Check external attack surface records for exposed web management interfaces.
- Review firewall rules for administrative access to the router interface.
- Inspect device logs and network telemetry for unusual management activity.
- Track CVE, VulDB, and Totolink pages for fix status changes.
Public sources used
Based on public source material and reviewed before publication.
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
CWE-77: Command execution behavior lookup
Command injection weaknesses can lead defenders to review execution techniques and command interpreter telemetry. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Open ATT&CK lookupCWE-78: Command execution behavior lookup
Command injection weaknesses can lead defenders to review execution techniques and command interpreter telemetry. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Open ATT&CK lookupExecution behavior lookup
The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
Open ATT&CK lookupCVE-2026-9384 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
Open ATT&CK lookup- Severity
- Critical
- CVSS
- 10 (2.0)
- Known Exploited
- No
- Published
Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:POC/RL:ND/RC:UR
CNA and ADP enrichment extracted from CVE v5
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
CVSS vector scores
4 official scoresWe collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
AV:N/AC:L/Au:N/C:C/I:C/A:C/E:POC/RL:ND/RC:UR 10 10 VulDB CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R 3.9 5.9 VulDB CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R 3.9 5.9 VulDB CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P — — VulDB Vulnerability scoring details
Base CVSS 4.0 score
9.3 CriticalVector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
Base CVSS 3.1 score
9.8 CriticalVector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R
Base CVSS 3.0 score
9.8 CriticalVector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R
Base CVSS 2.0 score
10 CriticalVector: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:POC/RL:ND/RC:UR
Vulnerability timeline
Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.
- Source timeline VulDB
Advisory disclosed
- Source timeline VulDB
VulDB entry created
- CVE reserved CVE Program
The CVE ID was reserved by the assigning CNA.
- Source timeline VulDB
VulDB entry last update
- CVE published CVE Program
The CVE record was published.
- CVE updated CVE Program
The CVE record metadata indicates this as the latest update time.
Source materials
- CVE List V5 source CVE List V5
- VDB-365347 | Totolink A8000RU Web Management cstecgi.cgi setDiagnosisCfg os command injection CVE reference, VulDB · vdb-entry, technical-description
- VDB-365347 | CTI Indicators (IOB, IOC, TTP, IOA) CVE reference, VulDB · signature, permissions-required
- Submit #813429 | Totolink A8000RU 7.1cu.643_b20200521 Command Injection CVE reference, VulDB · third-party-advisory
- https://github.com/Litengzheng/vuldb_new2/blob/main/A8000RU/vul_331/README.md CVE reference, VulDB · exploit
- https://www.totolink.net/ CVE reference, VulDB · product
Products and packages named in the record
CWE details
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE mapping pending import
This CVE carries a CWE mapping that will resolve to a full Glexia CWE intelligence page after the official CWE import is complete.
Improper Neutralization of Special Elements used in an OS Command
Improper Neutralization of Special Elements used in an OS Command represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.