Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2026-9455 -- CVSS 9.8 Vulnerability Briefing

CVE-2026-9455 | CVSS 9.8 (Critical) | Exploit: No known exploit

What Is It

CVE-2026-9455 is a critical vulnerability in the Totolink A8000RU router (firmware version 7.1cu.643_b20200521) affecting the UploadOpenVpnCert function within the /cgi-bin/cstecgi.cgi script of the device's web management interface.

Technical Detail

The flaw resides in the handling of OpenVPN certificate uploads through the web management interface, where insufficient input validation in the UploadOpenVpnCert function likely permits command injection or arbitrary file upload leading to remote code execution. An attacker with network access to the management interface can craft a malicious request to trigger the vulnerable function, potentially gaining full control of the device. Given the CVSS score of 9.8, the vulnerability is assessed as network-exploitable, requiring no authentication and no user interaction, which is consistent with a pre-authentication RCE condition on the router's management plane.

Exploitation Status

No known exploit has been publicly documented or observed in the wild as of June 1, 2026. This vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. While no proof-of-concept code has been confirmed publicly, the straightforward attack surface on a consumer-grade router with a high CVSS score warrants proactive attention.

Who Is Targeting This

No specific threat actor attribution at this time. Neither confirmed nor reported threat actor activity has been associated with this CVE in available intelligence sources.

What To Do

Check the Totolink vendor advisory and apply any available firmware update for the A8000RU that addresses this vulnerability. If no patch is currently available, immediately restrict access to the web management interface by disabling remote management, binding the interface to a trusted management VLAN, or applying firewall rules to block external access to the CGI endpoint. Network defenders should monitor for anomalous HTTP POST requests targeting /cgi-bin/cstecgi.cgi with OpenVPN certificate upload parameters, particularly from untrusted source addresses. Given the critical severity and the nature of the affected device, routers running the identified firmware version should be treated as high-priority remediation targets regardless of current exploitation status.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →