CVE-2026-9515
BaseFortify
Publication date: 2026-05-26
Last updated on: 2026-05-26
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| totolink | ca750-poe | 6.2c.510 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-9515 is a Remote Command Execution (RCE) vulnerability found in Totolink CA750-PoE devices. It exists in the setUnloadUserData function of the /cgi-bin/cstecgi.cgi file, specifically in the Setting Handler component.
The vulnerability arises because the plugin_version parameter is not properly validated, allowing an attacker to inject arbitrary operating system commands.
An attacker can exploit this by sending a crafted POST request with a malicious plugin_version value, which the device executes, potentially granting shell access.
How can this vulnerability impact me? :
This vulnerability allows a remote attacker to execute arbitrary OS commands on the affected device without user interaction.
Successful exploitation can lead to full control over the device, including the ability to run malicious commands, potentially compromising the device's integrity, confidentiality, and availability.
This could result in unauthorized access to network resources, disruption of network services, or use of the device as a foothold for further attacks.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for suspicious POST requests to the endpoint /cgi-bin/cstecgi.cgi containing the parameter plugin_version with unusual or malicious command strings.
A detection method involves capturing and inspecting network traffic for POST requests with JSON payloads that include the plugin_version parameter set to suspicious values such as command injection attempts (e.g., commands like "telnetd -l /bin/sh -p 8892").
- Use network packet capture tools like tcpdump or Wireshark to filter HTTP POST requests to /cgi-bin/cstecgi.cgi.
- Example tcpdump command: tcpdump -i <interface> -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep -i 'plugin_version'
- Use curl or similar tools to test the endpoint with crafted payloads to verify if the system is vulnerable.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the vulnerable endpoint /cgi-bin/cstecgi.cgi to trusted users only, such as by implementing firewall rules or access control lists.
Disabling or restricting the functionality of the setUnloadUserData function or the entire CGI interface if possible can reduce exposure.
Monitor and block suspicious POST requests containing the plugin_version parameter with unexpected values.
Apply any available patches or updates from the vendor once released.