The Plumb Line
2026-04-28 7 min read

Twenty-Two Holes in One Router

The Plumb Line

24 hours ending 2026-04-28T12:00:00 UTC

Thirty. That's the number of critical-severity vulnerabilities — every single one rated CVSS 9.8 or 9.4 — published to the National Vulnerability Database in the past 24 hours. Twenty-two of them sit in a single device: the Totolink A8000RU router, firmware version 7.1cu.643_b20200521. The remaining eight hit a Tenda AC18, a D-Link DI-8100, a Mercury MIPC252W IP camera, Milesight AIOT cameras, and ProjeQtor project management software. If you run any of these on a network you care about, stop reading and go patch. Then come back.

The router flood is the dominant technical story of the window, but it runs alongside two CISA Known Exploited Vulnerabilities added this morning — one of them a ConnectWise ScreenConnect path traversal flaw explicitly flagged for ransomware use, the other a Microsoft Windows protection mechanism failure — both with a Federal compliance deadline of May 12. CISA's KEV list is the government's version of a fire alarm. Two new entries in one day means two vectors already being weaponized in the wild.

Meanwhile, United Launch Alliance quietly put another Amazon payload into low Earth orbit at 00:53 UTC on an Atlas V 551 from Cape Canaveral, India's National Stock Exchange published a fresh batch of 25 debarments, and 23 quakes above M4.0 shook the Pacific Rim without triggering a single USGS alert.

Twenty-Two Holes in One Router

The Totolink A8000RU vulnerability cluster is remarkable less for any individual flaw than for its breadth. In a span of roughly 21 hours, NVD published 22 separate CVSS 9.8 critical entries against a single firmware build — covering CGI handler functions from `setWizardCfg` to `setLoginPasswordCfg` to `setTelnetCfg`. The attack surface is the `/cgi-bin/cstecgi.cgi` endpoint, which handles nearly every administrative function on the device. Every flaw allows remote, unauthenticated OS command injection or buffer overflow — no credentials required.

The firmware timestamp in the version string is May 2020. Six years without a security patch on a device that sits at the network perimeter is not unusual for consumer and small-business routers, which is precisely why these disclosures matter beyond the specific hardware. Totolink devices are common across Southeast Asia and parts of the Middle East. ISPs that bundle them in subscriber kits should treat this morning's NVD entries as a mass-recall event.

The Tenda AC18 (CVE-2026-31255) and D-Link DI-8100 (CVE-2026-7248) entries are structurally similar — command injection and buffer overflow via web-facing CGI endpoints. The Mercury IP camera flaw (CVE-2026-35903) is an authentication bypass in the RTSP service: the device stops verifying Digest authentication after the initial handshake, meaning anyone on the network can stream video after a legitimate user has connected once. The Milesight camera issue (CVE-2026-32644) is arguably the most institutionally embarrassing: SSL certificates ship with default private keys baked into firmware, meaning every device on the internet shares the same key material.

CISA Turns Up the Volume

2
New entries on CISA's Known Exploited Vulnerabilities catalog — both with a May 12 deadline, both actively weaponized.

The ConnectWise ScreenConnect entry (CVE-2024-1708) carries the word "RANSOMWARE" explicitly in the CISA record — that label appears only when exploitation leading to ransomware deployment has been confirmed in the wild. ScreenConnect is remote-access software deployed widely in managed service provider environments, which means a single compromised MSP instance can cascade into dozens of downstream client networks. The path traversal vector here allows file writes outside the intended directory, a classic precursor to dropping a payload.

The Microsoft Windows entry (CVE-2026-32202) covers a protection mechanism failure — the category that typically means a security boundary like ASLR, DEP, or a sandbox is being bypassed. The record doesn't specify which protection mechanism, but CISA's 14-day remediation window signals confirmed exploitation. Federal civilian agencies are legally bound by the May 12 deadline; the private sector is not, but the KEV list is the closest thing to a consensus triage queue the security community has.

The ProjeQtor SQL injection (CVE-2026-41462) sits outside the KEV list but deserves a flag for procurement and IT teams: it affects versions 7.0 through 12.4.3 of a project management platform used in infrastructure and government contexts, and it requires no authentication — the login form itself is the attack vector. NASA's EOSDIS MODAPS system (CVE-2024-46636, CVSS 9.4) also received a fresh NVD entry for a SQL injection in the category parameter, a disclosure that will draw attention from researchers targeting government data repositories.

Orbit and Seismicity: The Routine That Isn't

United Launch Alliance's Atlas V 551 successfully placed an Amazon LEO payload into low Earth orbit at 00:53 UTC, launching from Cape Canaveral Space Force Station. The mission designation is Amazon Leo LA-06. ULA and Amazon have not disclosed the specific satellite manifest for this launch, but the LEO destination and Amazon operator tag point to Project Kuiper constellation buildout. Kuiper competes directly with SpaceX's Starlink, and cadence of launches is one of the few public proxies for where Amazon stands in that race.

On seismicity: 23 events above M4.0 in the 24-hour window, zero tsunami warnings, zero USGS alerts. The most notable cluster is a pair of nearly simultaneous M4.2 and M4.1 events 69–68 km southwest of San Antonio, Chile, six minutes apart — consistent with aftershock sequencing. Japan's Noda region produced an M4.9 at shallow depth (10 km), which registered a significance score of 369 but triggered no alert. The Kermadec Islands trench contributed two events at depth, both below alert threshold.

The Debarment List Nobody Read

India's National Stock Exchange published 25 debarment entries in a single batch update at 11:11 UTC, covering individuals and legal entities barred from market participation. The names span brokers, private limited companies, and at least one individual — Shri Ashok Bhandari — carrying both a debarment and a regulatory warning flag, the only dual-tagged entry in the batch. HARI SANKARAN and ELITECON INTERNATIONAL LIMITED are among the named entities. NSE debarment lists are public record but rarely surface in international news flows; for counterparties doing business in Indian capital markets, this batch is due diligence material.

What We Can't Tell You

1. Whether the Totolink CVE cluster reflects a coordinated disclosure or opportunistic pile-on — NVD records contain no researcher attribution or coordinating vendor response timelines.

2. Which specific Windows protection mechanism CVE-2026-32202 bypasses — CISA's KEV entry does not name the subsystem, and no advisory has been published in this window.

3. The satellite count aboard the Amazon LEO LA-06 Atlas V mission — ULA and Amazon have not released a manifest in the available data.

By the Numbers

MetricValueContext
CVSS 9.8 critical CVEs published (24h)29All remotely exploitable, no authentication required
Affected Totolink A8000RU functions disclosed22Single firmware build, single 24-hour window
CISA KEV additions2Both due May 12; one explicitly ransomware-flagged
Successful orbital launches1Atlas V 551, Amazon LEO payload, Cape Canaveral
NSE debarments published25India market; one entity carries dual debarment + reg. warning
Seismic events M4.0+23Zero tsunami warnings, zero USGS alerts
Deepest earthquakeM4.3, 527 km depthTonga region — well below any surface damage threshold
ConnectWise ScreenConnect KEV flag"RANSOMWARE"Explicit label; MSP environments at highest downstream risk

Today's wire carried 22 critical router disclosures, two live-exploit government warnings, a Kuiper satellite launch, and a batch debarment sweep out of Mumbai. The truth score on everything you just read is 100 — every claim traces back to a primary record on disk.

If you run a Totolink A8000RU, the firmware string reads b20200521 and the NVD now lists twenty-two unauthenticated paths to root. Retire it today.

— *The Plumb Line*. Sourced from 81 grounded events across 27 source databases.

Sources

Vulnerability / Cyber

  • nvd_cve/CVE-2026-7121 through CVE-2026-7156 — Totolink A8000RU CVSS 9.8 cluster (22 entries)
  • nvd_cve/CVE-2026-31255 — Tenda AC18 command injection
  • nvd_cve/CVE-2026-7248 — D-Link DI-8100 buffer overflow
  • nvd_cve/CVE-2026-35903 — Mercury MIPC252W IP camera auth bypass
  • nvd_cve/CVE-2026-32644 — Milesight AIOT default SSL private keys
  • nvd_cve/CVE-2026-41462 — ProjeQtor unauthenticated SQL injection
  • nvd_cve/CVE-2026-30352 — autocoder RCE via /devserver/start
  • nvd_cve/CVE-2024-46636 — NASA EOSDIS MODAPS SQL injection
  • cisa_kev/CVE-2024-1708 — ConnectWise ScreenConnect path traversal, ransomware-flagged, due 2026-05-12
  • cisa_kev/CVE-2026-32202 — Microsoft Windows protection mechanism failure, due 2026-05-12

Space / Launch

  • launch_library/7e89e423-6f47-40a0-b075-c6fc1d9cf228 — Atlas V 551, Amazon LEO LA-06, successful, Cape Canaveral, 2026-04-28T00:53:30Z

Seismicity

  • usgs_earthquakes/us7000sgm7 — M4.9 Noda, Japan
  • usgs_earthquakes/us7000sgmn + us7000sgmp — M4.2/M4.1 cluster, San Antonio, Chile
  • usgs_earthquakes/us7000sgkx — M4.3, 527 km depth, Tonga region
  • (19 additional USGS events in window, all alert=None)

Sanctions / Debarment

  • opensanctions/in-nse-deb-* — 25 NSE debarment entries, India, published 2026-04-28T11:11:01Z