CVE-2026-9515
Deferred Deferred - Pending Action
Command Injection in Totolink CA750-PoE Firmware

Publication date: 2026-05-26

Last updated on: 2026-05-26

Assigner: VulDB

Description
A vulnerability was detected in Totolink CA750-PoE 6.2c.510. The affected element is the function setUnloadUserData of the file /cgi-bin/cstecgi.cgi of the component Setting Handler. The manipulation of the argument plugin_version results in os command injection. The attack may be launched remotely. The exploit is now public and may be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-26
Last Modified
2026-05-26
Generated
2026-06-15
AI Q&A
2026-05-26
EPSS Evaluated
2026-06-14
NVD
CVE-2026-9515
EUVD
EUVD-2026-31771
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
totolink ca750-poe 6.2c.510
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-9515 is a Remote Command Execution (RCE) vulnerability found in Totolink CA750-PoE devices. It exists in the setUnloadUserData function of the /cgi-bin/cstecgi.cgi file, specifically in the Setting Handler component.

The vulnerability arises because the plugin_version parameter is not properly validated, allowing an attacker to inject arbitrary operating system commands.

An attacker can exploit this by sending a crafted POST request with a malicious plugin_version value, which the device executes, potentially granting shell access.

Impact Analysis

This vulnerability allows a remote attacker to execute arbitrary OS commands on the affected device without user interaction.

Successful exploitation can lead to full control over the device, including the ability to run malicious commands, potentially compromising the device's integrity, confidentiality, and availability.

This could result in unauthorized access to network resources, disruption of network services, or use of the device as a foothold for further attacks.

Detection Guidance

This vulnerability can be detected by monitoring for suspicious POST requests to the endpoint /cgi-bin/cstecgi.cgi containing the parameter plugin_version with unusual or malicious command strings.

A detection method involves capturing and inspecting network traffic for POST requests with JSON payloads that include the plugin_version parameter set to suspicious values such as command injection attempts (e.g., commands like "telnetd -l /bin/sh -p 8892").

  • Use network packet capture tools like tcpdump or Wireshark to filter HTTP POST requests to /cgi-bin/cstecgi.cgi.
  • Example tcpdump command: tcpdump -i <interface> -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep -i 'plugin_version'
  • Use curl or similar tools to test the endpoint with crafted payloads to verify if the system is vulnerable.
Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable endpoint /cgi-bin/cstecgi.cgi to trusted users only, such as by implementing firewall rules or access control lists.

Disabling or restricting the functionality of the setUnloadUserData function or the entire CGI interface if possible can reduce exposure.

Monitor and block suspicious POST requests containing the plugin_version parameter with unexpected values.

Apply any available patches or updates from the vendor once released.

Compliance Impact

The vulnerability allows remote command injection leading to potential unauthorized shell access on the affected device.

Such unauthorized access could lead to compromise of sensitive data or disruption of device operation, which may impact compliance with data protection regulations like GDPR or HIPAA that require safeguarding personal and sensitive information.

However, the provided information does not explicitly detail the direct impact on compliance with these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9515. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart