Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2026-9385 -- CVSS 9.8 Vulnerability Briefing

CVE-2026-9385 | CVSS 9.8 (Critical) | Exploit: No known exploit

What Is It

CVE-2026-9385 is a critical severity vulnerability in the Totolink A8000RU router (firmware version 7.1cu.643_b20200521), specifically affecting the setTracerouteCfg function within the /cgi-bin/cstecgi.cgi handler of the device's web management interface.

Technical Detail

The flaw resides in the setTracerouteCfg function, which processes user-supplied input through the web management interface without adequate validation or sanitization. An attacker can craft a malicious request to this CGI endpoint to trigger the vulnerability, most likely through command injection or a stack-based buffer overflow, which are the predominant vulnerability classes associated with this function pattern in Totolink devices. Successful exploitation would likely result in unauthenticated remote code execution (RCE) with root-level privileges on the affected device, given the CVSS score of 9.8 and the nature of the affected component.

Exploitation Status

No known exploit code has been publicly identified at this time, and this CVE is not currently listed in the CISA Known Exploited Vulnerabilities (KEV) catalog. The exploit maturity is assessed as no known exploit. This status should be monitored closely, as similar vulnerabilities in Totolink CGI handlers have historically attracted rapid weaponization by botnet operators.

Who Is Targeting This

No specific threat actor attribution at this time. Neither confirmed nor reported threat actor associations have been established for this CVE as of the date of this briefing.

What To Do

Organizations and individuals operating the Totolink A8000RU on firmware version 7.1cu.643_b20200521 should check immediately for an updated firmware release from Totolink and apply it as a priority given the critical CVSS score of 9.8. If no patch is available, restrict access to the web management interface by disabling remote management, placing the interface behind a firewall or VPN, and ensuring it is not exposed to the public internet. Network defenders should monitor for anomalous HTTP POST requests targeting /cgi-bin/cstecgi.cgi with unexpected or oversized parameter values in the traceroute configuration fields. Given the history of similar Totolink vulnerabilities being incorporated into Mirai-variant botnets, elevated vigilance is warranted even in the absence of confirmed active exploitation.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →