Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2026-9408 -- CVSS 9.8 Vulnerability Briefing

CVE-2026-9408 | CVSS 9.8 (Critical) | Exploit: No known exploit

What Is It

CVE-2026-9408 is a critical vulnerability in the setStaticDhcpRules function within the /cgi-bin/cstecgi.cgi script of the web management interface on the Totolink A8000RU router running firmware version 7.1cu.643_b20200521.

Technical Detail

The flaw resides in the setStaticDhcpRules function, which processes user-supplied input through the web management interface without adequate validation or sanitization. An attacker who can reach the management interface can craft a malicious request to trigger the vulnerable function, likely resulting in remote code execution or arbitrary command injection at the device level. Given the CVSS score of 9.8 and the network-accessible attack surface, exploitation is expected to require no authentication or only minimal preconditions, placing the full device under attacker control if successfully exploited.

Exploitation Status

No known exploit code has been publicly identified at this time, and this CVE is not currently listed in the CISA Known Exploited Vulnerabilities catalog. The exploit maturity is assessed as none confirmed. This status may change given the critical severity rating and the historically high targeting of consumer and SOHO routers by botnet operators and threat actors.

Who Is Targeting This

No specific threat actor attribution at this time. Neither confirmed nor reported threat actor associations have been established for this vulnerability as of the date of this briefing.

What To Do

Organizations and individuals operating the Totolink A8000RU on firmware 7.1cu.643_b20200521 should check the Totolink vendor advisory for an updated firmware release and apply it immediately given the critical severity rating. If no patch is available, restrict access to the web management interface by disabling remote management, placing the interface behind a firewall or access control list, and ensuring it is not exposed to untrusted networks or the public internet. Network defenders should monitor for anomalous HTTP POST requests targeting /cgi-bin/cstecgi.cgi with unexpected or oversized parameter values in the setStaticDhcpRules action. Device replacement should be considered if the vendor does not issue a patch in a timely manner, as end-of-support firmware on SOHO routers represents a persistent and difficult-to-remediate risk.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →