CVE-2026-9457 -- CVSS 9.8 Vulnerability Briefing

CVE-2026-9457 | CVSS 9.8 (Critical) | Exploit: No known exploit

What Is It

A critical vulnerability exists in the UploadFirmwareFile function within the /cgi-bin/cstecgi.cgi script of the web management interface on the Totolink A8000RU router running firmware version 7.1cu.643_b20200521.

Technical Detail

The flaw resides in how the web management interface handles firmware upload requests through the UploadFirmwareFile function, which likely fails to properly validate or sanitize attacker-supplied input, enabling exploitation via a crafted HTTP request to the CGI endpoint. Based on the CVSS score of 9.8 and the nature of the affected component, the most probable impact is unauthenticated remote code execution, allowing an attacker with network access to the management interface to execute arbitrary commands with elevated privileges on the device. Successful exploitation would give an attacker full control over the router, enabling traffic interception, lateral movement into the local network, or use of the device as a persistent foothold.

Exploitation Status

No known exploit has been publicly documented at this time, and this CVE is not listed in the CISA Known Exploited Vulnerabilities catalog. The exploit maturity is currently assessed as none, meaning no proof-of-concept or operational exploit code has been confirmed in public repositories or threat intelligence sources as of June 01, 2026. This status may change given the severity of the vulnerability and the historically high targeting of consumer and SOHO routers.

Who Is Targeting This

No specific threat actor attribution at this time. Neither confirmed nor reported threat actor associations have been established for this vulnerability. Totolink devices as a product class have historically attracted attention from botnet operators and state-aligned actors targeting SOHO infrastructure, but no such activity has been linked to this specific CVE.

What To Do

Check with Totolink for an updated firmware release that addresses this vulnerability and apply it immediately if available. If no patch exists, restrict access to the web management interface by disabling remote management and limiting access to trusted internal hosts only using firewall rules or access control lists. Network defenders should monitor for unexpected outbound connections originating from the device and anomalous HTTP POST requests to /cgi-bin/cstecgi.cgi as potential indicators of exploitation attempts. Given the critical CVSS rating and the nature of the affected function, treat this as a high-priority remediation item even in the absence of confirmed active exploitation.