Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2026-9388 -- CVSS 9.8 Vulnerability Briefing

CVE-2026-9388 | CVSS 9.8 (Critical) | Exploit: No known exploit

What Is It

A critical vulnerability exists in the setScheduleCfg function within the Web Management Interface (/cgi-bin/cstecgi.cgi) of the Totolink A8000RU router running firmware version 7.1cu.643_b20200521.

Technical Detail

The flaw resides in the setScheduleCfg function of the CGI-based web management interface, which fails to properly validate or sanitize user-supplied input. An attacker who can reach the management interface can send a crafted request to trigger the vulnerability, likely resulting in remote code execution or arbitrary command injection on the underlying device. Given the CVSS score of 9.8 and the network-accessible attack surface, exploitation is expected to require no authentication and no user interaction, placing full device compromise within reach of an unauthenticated remote attacker.

Exploitation Status

No known exploit code has been publicly identified at this time, and this CVE is not listed in the CISA Known Exploited Vulnerabilities catalog. The exploit maturity is currently assessed as no known exploit; however, vulnerabilities of this class in consumer and SOHO routers have historically been weaponized quickly once disclosed.

Who Is Targeting This

No specific threat actor attribution at this time. No confirmed or reported threat actors have been linked to exploitation of this vulnerability as of May 31, 2026.

What To Do

Check whether Totolink has released a firmware update beyond version 7.1cu.643_b20200521 for the A8000RU and apply it immediately if available. If no patch exists, restrict access to the web management interface by disabling remote management, placing the interface behind a firewall or access control list, and ensuring it is not exposed to the public internet. Network defenders should monitor for anomalous HTTP POST requests targeting /cgi-bin/cstecgi.cgi with unexpected or oversized parameter values in the schedule configuration fields. Given the critical severity and the typical deployment context of this device class, isolation of the management plane should be treated as an urgent priority even in the absence of confirmed active exploitation.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →