PatchDay Alert
APR 29, 2026 Subscribe →
Daily Digest By Colten Anderson

Five 9.8s on SOHO routers: Totolink and D-Link firmware is Swiss cheese

Four public command injection exploits hit the Totolink A8000RU and one buffer overflow nails the D-Link DI-8100. All CVSS 9.8, all pre-auth, all with public exploit code. If either device is in your stack, pull it off the internet now.

Patch now
5
Within 24h
0
This week
0
Exploited
0
RouterNetwork ApplianceVPN

Five CVSS 9.8 bugs dropped today, all hitting consumer/SMB routers, all with public exploits, none requiring authentication. Four of them hammer the same Totolink A8000RU firmware through different CGI parameters, and the fifth is a buffer overflow on D-Link DI-8100. If either device is in your environment, pull it off the network or restrict management access right now.

Today's CVEs

Sorted by urgency
01

CVE-2026-7248

NVD
9.8
CVSS
CRITICAL
RouterNetwork Appliance

An attacker can remotely trigger a buffer overflow on D-Link DI-8100 routers (firmware 16.07.26A1) through the tgfile.htm CGI endpoint by sending a crafted 'fn' parameter. No authentication is needed, and a working exploit is already public. CVSS 9.8, so this is about as bad as it gets for a network device.

Affected estate
Anyone running a D-Link DI-8100 with firmware 16.07.26A1
How to check
Check inventory, endpoint management, or the vendor console for affected Router versions.
Action
Check D-Link's support page for a firmware update. If no patch is available, pull the device off the public internet and restrict management access to a trusted VLAN until one ships.
Urgency
Patch immediately
Why it matters
An attacker can remotely trigger a buffer overflow on D-Link DI-8100 routers (firmware 16
Source
NVD
02

CVE-2026-7244

NVD
9.8
CVSS
CRITICAL
RouterNetwork Appliance

A remote attacker can inject OS commands into the Totolink A8000RU router through the setWiFiEasyGuestCfg function via the 'merge' parameter. No auth appears to be required, the exploit is public, and CVSS is 9.8. That means full device compromise from anywhere that can reach the management interface.

Affected estate
Anyone running a Totolink A8000RU on firmware 7.1cu.643_b20200521
How to check
Check inventory, endpoint management, or the vendor console for affected Router versions.
Action
Update to the latest firmware from Totolink. If no fix exists yet, disable remote management and restrict access to the CGI handler from untrusted networks.
Urgency
Patch immediately
Why it matters
A remote attacker can inject OS commands into the Totolink A8000RU router through the setWiFiEasyGuestCfg function via the 'merge' parameter
Source
NVD
03

CVE-2026-7243

NVD
9.8
CVSS
CRITICAL
RouterNetwork Appliance

Remote OS command injection in the Totolink A8000RU via the setRadvdCfg function's 'maxRtrAdvInterval' parameter. The exploit is public and CVSS is 9.8. An attacker who can reach the CGI handler can run arbitrary commands on the router as if they own it.

Affected estate
Anyone running a Totolink A8000RU on firmware 7.1cu.643_b20200521
How to check
Check inventory, endpoint management, or the vendor console for affected Router versions.
Action
Apply the latest Totolink firmware. If none is available, block external access to the /cgi-bin/cstecgi.cgi endpoint and disable remote administration.
Urgency
Patch immediately
Why it matters
Remote OS command injection in the Totolink A8000RU via the setRadvdCfg function's 'maxRtrAdvInterval' parameter
Source
NVD
04

CVE-2026-7242

NVD
9.8
CVSS
CRITICAL
VPNNetwork Appliance

Yet another remote command injection in the Totolink A8000RU, this time through the setOpenVpnClientCfg function's 'enabled' parameter. Public exploit, CVSS 9.8. If you're seeing a pattern here, you're right: this firmware version is riddled with unsanitized CGI inputs.

Affected estate
Anyone running a Totolink A8000RU on firmware 7.1cu.643_b20200521
How to check
Check inventory, endpoint management, or the vendor console for affected VPN versions.
Action
Update firmware immediately. If Totolink hasn't released a fix, isolate the device and seriously consider replacing it with hardware from a vendor that sanitizes its inputs.
Urgency
Patch immediately
Why it matters
Yet another remote command injection in the Totolink A8000RU, this time through the setOpenVpnClientCfg function's 'enabled' parameter
Source
NVD
05

CVE-2026-7241

NVD
9.8
CVSS
CRITICAL

One more in the batch: remote OS command injection in the Totolink A8000RU through setWiFiBasicCfg via the 'wifiOff' parameter. Public exploit, CVSS 9.8. Combined with the other 3 CVEs hitting this same firmware, the entire CGI handler on this device should be considered untrusted.

Affected estate
Anyone running a Totolink A8000RU on firmware 7.1cu.643_b20200521
How to check
Check inventory, endpoint management, or the vendor console for affected product versions.
Action
Flash updated firmware from Totolink if available. If not, take the device off any network where it's reachable by untrusted traffic. Four public RCE exploits on one firmware version is a strong signal to evaluate a hardware replacement.
Urgency
Patch immediately
Why it matters
One more in the batch: remote OS command injection in the Totolink A8000RU through setWiFiBasicCfg via the 'wifiOff' parameter
Source
NVD