Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2026-9407 -- CVSS 9.8 Vulnerability Briefing

CVE-2026-9407 | CVSS 9.8 (Critical) | Exploit: No known exploit

What Is It

A critical vulnerability exists in the Totolink A8000RU router (firmware version 7.1cu.643_b20200521), specifically within the setFirewallType function of the web-facing CGI handler at /cgi-bin/cstecgi.cgi.

Technical Detail

The flaw resides in the setFirewallType function, which processes user-supplied input through the device's web management interface without adequate validation or sanitization. An attacker who can reach the CGI endpoint can likely supply crafted input to trigger a condition such as a stack-based buffer overflow or command injection, potentially resulting in unauthenticated remote code execution on the device. Given the CVSS score of 9.8 and the network-accessible attack surface, exploitation likely requires no authentication and no user interaction, placing full device compromise within reach of a remote attacker.

Exploitation Status

No known exploit code has been publicly identified at this time, and this CVE is not currently listed in the CISA Known Exploited Vulnerabilities catalog. The exploit maturity is assessed as none confirmed. This status may change given the severity of the vulnerability and the historically high targeting rate of SOHO router firmware flaws.

Who Is Targeting This

No specific threat actor attribution at this time. No confirmed or reported threat actor activity has been associated with this CVE as of May 31, 2026.

What To Do

Check the Totolink vendor advisory and apply any available firmware update that addresses this vulnerability. If no patch is available, restrict access to the device's web management interface by disabling remote administration and limiting access to trusted internal hosts only via firewall rules or ACLs. Network defenders should monitor for anomalous HTTP POST requests to /cgi-bin/cstecgi.cgi with unexpected or oversized parameter values as a potential detection signal. Organizations using this device in internet-exposed configurations should treat this as high priority given the unauthenticated network attack vector and critical CVSS rating.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →