CVE-2026-9533
Command Injection in Totolink CA750-PoE
Publication date: 2026-05-26
Last updated on: 2026-05-26
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| totolink | ca750-poe | 6.2c.510 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how the vulnerability CVE-2026-9533 impacts compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2026-9533 is a Remote Command Execution (RCE) vulnerability found in the TOTOLINK CA750-PoE router, specifically in the recvUpgradeNewFw function of the /cgi-bin/cstecgi.cgi component. The vulnerability arises because the parameters fwUrl and magicid are not properly validated, allowing an attacker to inject and execute arbitrary operating system commands remotely.
An attacker can exploit this flaw by sending a specially crafted POST request to the /cgi-bin/cstecgi.cgi endpoint, manipulating the fwUrl parameter to execute commands such as starting a telnet shell on the device, thereby gaining control over the router.
How can this vulnerability impact me? :
This vulnerability allows remote attackers to execute arbitrary commands on the affected TOTOLINK router without user interaction. This can lead to unauthorized access, control over the device, and potentially compromise the entire network the router is connected to.
- Attackers can gain shell access to the router.
- They can manipulate router settings or install malicious software.
- It may lead to data interception, network disruption, or further attacks on connected devices.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for suspicious POST requests to the endpoint /cgi-bin/cstecgi.cgi that include manipulated fwUrl or magicid parameters. Specifically, commands attempting to inject shell commands such as 'telnetd -l /bin/sh -p 8895' in the fwUrl parameter indicate exploitation attempts.
A practical detection method is to capture and analyze HTTP POST traffic targeting /cgi-bin/cstecgi.cgi for unusual parameter values.
- Use network packet capture tools like tcpdump or Wireshark to filter POST requests to /cgi-bin/cstecgi.cgi.
- Example tcpdump command: tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/cgi-bin/cstecgi.cgi'
- Use curl or similar tools to test the endpoint with crafted payloads to verify if the system is vulnerable.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the /cgi-bin/cstecgi.cgi endpoint to trusted users only, such as by implementing firewall rules or access control lists.
Additionally, monitoring and blocking suspicious POST requests containing unusual fwUrl or magicid parameter values can help prevent exploitation.
If possible, update the firmware of the Totolink CA750-PoE device to a version that patches this vulnerability or apply vendor-provided patches.
Disabling remote management features temporarily until a fix is applied can also reduce exposure.