Skip to main content

Mondoo

Vulnerability Management
Technology
Services

Solutions

Financial Services
Manufacturing
Healthcare

Resources

Blog
Vulnerability Database
Documentation
GitHub

Company

About
Careers
Partners
Contact

Legal

Privacy
Terms
Imprint

© 2026 Mondoo, Inc.

Log in Get Assessment

Vulnerability IntelligenceCVE-2026-9384

CVE-2026-9384

CRITICAL9.8

Totolink A8000RU Web Management cstecgi.cgi setDiagnosisCfg os command injection

Published May 24, 2026

Modified 2 weeks ago

Details

A vulnerability was found in Totolink A8000RU 7.1cu.643_b20200521. This vulnerability affects the function setDiagnosisCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. The manipulation of the argument ip results in os command injection. The attack can be executed remotely. The exploit has been made public and could be used.

References

https://github.com/Litengzheng/vuldb_new2/blob/main/A8000RU/vul_331/README.md

https://vuldb.com/submit/813429

https://vuldb.com/vuln/365347

https://vuldb.com/vuln/365347/cti

https://www.cve.org/CVERecord?id=CVE-2026-9384

https://www.totolink.net/

CVSS Analysis

CVSS v4.0

9.3

Exploitability

Attack Vector

NetworkAV:N

Attack Complexity

LowAC:L

Attack Requirements

NoneAT:N

Privileges Required

NonePR:N

User Interaction

NoneUI:N

Vulnerable System

Vuln. Confidentiality

HighVC:H

Vuln. Integrity

HighVI:H

Vuln. Availability

HighVA:H

Subsequent System

Subseq. Confidentiality

NoneSC:N

Subseq. Integrity

NoneSI:N

Subseq. Availability

NoneSA:N

9.3/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

Weakness Type (CWE)

Injection

OS Command Injection

Input Validation

Command Injection

Ecosystems

Timeline

PublishedMay 24, 2026

ModifiedMay 26, 2026

CVE-2026-9384 | Mondoo Vulnerability Intelligence