Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2026-9384 -- CVSS 9.8 Vulnerability Briefing

CVE-2026-9384 | CVSS 9.8 (Critical) | Exploit: No known exploit

What Is It

CVE-2026-9384 is a critical severity vulnerability affecting the web management interface of the Totolink A8000RU router (firmware version 7.1cu.643_b20200521), specifically within the setDiagnosisCfg function exposed through the /cgi-bin/cstecgi.cgi CGI handler.

Technical Detail

The flaw resides in the setDiagnosisCfg function of the device's web management CGI interface, which likely fails to properly validate or sanitize user-supplied input before processing it, a pattern commonly associated with command injection or stack-based buffer overflow vulnerabilities in embedded router firmware. An attacker with network access to the management interface can send a crafted HTTP request to /cgi-bin/cstecgi.cgi to trigger the vulnerable function. Successful exploitation could result in unauthenticated remote code execution with root-level privileges on the affected device, given the CVSS score of 9.8 and the typical privilege context of CGI handlers on this class of device.

Exploitation Status

No known exploit code has been publicly documented or observed at this time. The exploit maturity is rated at the lowest tier, indicating no confirmed proof-of-concept or in-the-wild exploitation. This vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities catalog. However, the critical CVSS score and the class of device affected warrant proactive attention, as similar Totolink vulnerabilities have historically attracted rapid weaponization.

Who Is Targeting This

No specific threat actor attribution at this time. Neither confirmed nor reported threat actor associations have been established for this CVE as of May 31, 2026.

What To Do

Check the Totolink support portal for a firmware update addressing this vulnerability and apply it immediately if available. If no patch exists, restrict access to the web management interface by disabling remote management and limiting LAN-side access to trusted hosts only using firewall rules or access control lists. Network defenders should monitor for anomalous HTTP POST requests targeting /cgi-bin/cstecgi.cgi with unexpected or oversized parameter values in the fields associated with the diagnosis configuration function. Organizations using this device in any internet-facing or sensitive network segment should consider temporary isolation or replacement if patching is not feasible. Given the 9.8 CVSS score and the unauthenticated attack surface typical of this vulnerability class, treat this as a high-priority remediation item regardless of the current absence of known exploits.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →