CVE-2026-9531
Deferred Deferred - Pending Action
Command Injection in Totolink CA750-PoE Firmware

Publication date: 2026-05-26

Last updated on: 2026-05-28

Assigner: VulDB

Description
A weakness has been identified in Totolink CA750-PoE 6.2c.510. Impacted is the function setUpgradeUboot of the file /cgi-bin/cstecgi.cgi of the component Setting Handler. This manipulation of the argument FileName causes os command injection. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-26
Last Modified
2026-05-28
Generated
2026-06-15
AI Q&A
2026-05-26
EPSS Evaluated
2026-06-14
NVD
CVE-2026-9531
EUVD
EUVD-2026-31789
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
totolink ca750-poe 6.2c.510
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-9531 is a Remote Command Execution (RCE) vulnerability found in the Totolink CA750-PoE device, specifically in the setUpgradeUboot function of the /cgi-bin/cstecgi.cgi file. The vulnerability arises because the FileName parameter is not properly validated, allowing an attacker to inject arbitrary operating system commands remotely.

An attacker can exploit this by sending a specially crafted POST request with a manipulated FileName argument, which can execute commands such as starting a shell on the device, effectively gaining control over it.

Impact Analysis

This vulnerability allows remote attackers to execute arbitrary commands on the affected Totolink device without user interaction or authentication. This can lead to unauthorized control over the device, potentially allowing attackers to manipulate device settings, intercept network traffic, or use the device as a foothold for further attacks within the network.

Detection Guidance

This vulnerability can be detected by monitoring for suspicious POST requests to the endpoint /cgi-bin/cstecgi.cgi that include a manipulated FileName parameter. Specifically, look for attempts to inject commands such as 'telnetd -l /bin/sh -p 8893' or other unusual command strings within the FileName argument.

A practical detection method is to capture and analyze HTTP POST traffic targeting /cgi-bin/cstecgi.cgi and inspect the FileName parameter for command injection patterns.

Example command to detect such attempts using tcpdump and grep:

  • tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep -i 'POST /cgi-bin/cstecgi.cgi'
  • Use a web proxy or intrusion detection system (IDS) to alert on POST requests containing suspicious FileName parameter values that include shell commands or unusual strings.
Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable endpoint /cgi-bin/cstecgi.cgi to trusted networks only, such as by firewall rules or network segmentation.

Disable or block remote access to the device's web interface if not necessary.

Monitor and block suspicious POST requests that attempt to exploit the FileName parameter.

Check for and apply any available firmware updates or patches from the vendor that address this vulnerability.

If no patch is available, consider isolating the device from untrusted networks until a fix is applied.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9531. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart