|
|
DAILY BRIEF · APRIL 28, 2026
|
|
Five CVSS 9.8 bugs dropped today, all hitting consumer/SMB routers, all with public exploits, none requiring authentication. Four of them hammer the same Totolink A8000RU firmware through different CGI parameters, and the fifth is a buffer overflow on D-Link DI-8100. If either device is in your environment, pull it off the network or restrict management access right now.
|
|
TOP THREAT TODAY
|
|
An attacker can remotely trigger a buffer overflow on D-Link DI-8100 routers (firmware 16.07.26A1) through the tgfile.htm CGI endpoint by sending a crafted 'fn' parameter. No authentication is needed, and a working exploit is already public. CVSS 9.8, so this is about as bad as it gets for a network device.
Who's affected: Anyone running a D-Link DI-8100 with firmware 16.07.26A1
| |
Patch immediately.
Check D-Link's support page for a firmware update. If no patch is available, pull the device off the public internet and restrict management access to a trusted VLAN until one ships.
|
|
|
|
CVE-2026-7244
CVSS 9.8
|
CRITICAL
|
A remote attacker can inject OS commands into the Totolink A8000RU router through the setWiFiEasyGuestCfg function via the 'merge' parameter. No auth appears to be required, the exploit is public, and CVSS is 9.8. That means full device compromise from anywhere that can reach the management interface.
Affects: Anyone running a Totolink A8000RU on firmware 7.1cu.643_b20200521
| |
Patch immediately.
Update to the latest firmware from Totolink. If no fix exists yet, disable remote management and restrict access to the CGI handler from untrusted networks.
|
|
|
CVE-2026-7243
CVSS 9.8
|
CRITICAL
|
Remote OS command injection in the Totolink A8000RU via the setRadvdCfg function's 'maxRtrAdvInterval' parameter. The exploit is public and CVSS is 9.8. An attacker who can reach the CGI handler can run arbitrary commands on the router as if they own it.
Affects: Anyone running a Totolink A8000RU on firmware 7.1cu.643_b20200521
| |
Patch immediately.
Apply the latest Totolink firmware. If none is available, block external access to the /cgi-bin/cstecgi.cgi endpoint and disable remote administration.
|
|
|
CVE-2026-7242
CVSS 9.8
|
CRITICAL
|
Yet another remote command injection in the Totolink A8000RU, this time through the setOpenVpnClientCfg function's 'enabled' parameter. Public exploit, CVSS 9.8. If you're seeing a pattern here, you're right: this firmware version is riddled with unsanitized CGI inputs.
Affects: Anyone running a Totolink A8000RU on firmware 7.1cu.643_b20200521
| |
Patch immediately.
Update firmware immediately. If Totolink hasn't released a fix, isolate the device and seriously consider replacing it with hardware from a vendor that sanitizes its inputs.
|
|
|
CVE-2026-7241
CVSS 9.8
|
CRITICAL
|
One more in the batch: remote OS command injection in the Totolink A8000RU through setWiFiBasicCfg via the 'wifiOff' parameter. Public exploit, CVSS 9.8. Combined with the other 3 CVEs hitting this same firmware, the entire CGI handler on this device should be considered untrusted.
Affects: Anyone running a Totolink A8000RU on firmware 7.1cu.643_b20200521
| |
Patch immediately.
Flash updated firmware from Totolink if available. If not, take the device off any network where it's reachable by untrusted traffic. Four public RCE exploits on one firmware version is a strong signal to evaluate a hardware replacement.
|
|
|
That's your patch day digest.
|
|
patchdayalert.com
|
