Skip to main content

Totolink CA750-PoE CVE-2026-9515

| EUVD-2026-31771 LOW
OS Command Injection (CWE-78)
2026-05-25 VulDB GHSA-chj8-3r5w-6fwr
Command Injection Ca750 Poe
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Jun 08, 2026 - 13:19 vuln.today
Severity Changed
May 26, 2026 - 19:07 NVD
MEDIUM LOW
CVSS changed
May 26, 2026 - 19:07 NVD
6.3 (MEDIUM) 2.1 (LOW)

DescriptionCVE.org

A vulnerability was detected in Totolink CA750-PoE 6.2c.510. The affected element is the function setUnloadUserData of the file /cgi-bin/cstecgi.cgi of the component Setting Handler. The manipulation of the argument plugin_version results in os command injection. The attack may be launched remotely. The exploit is now public and may be used.

AnalysisAI

OS command injection in Totolink CA750-PoE firmware 6.2c.510 allows a remote, low-privileged attacker to execute arbitrary operating system commands on the device by manipulating the plugin_version parameter in the setUnloadUserData function of /cgi-bin/cstecgi.cgi. A public proof-of-concept exploit exists on GitHub, and the EPSS percentile (87th) indicates this CVE carries meaningfully higher exploitation likelihood than the majority of published vulnerabilities despite its low CVSS 4.0 base score of 2.1. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privilege device credentials
Delivery
Send crafted HTTP request to /cgi-bin/cstecgi.cgi
Exploit
Inject OS commands via plugin_version parameter
Execution
setUnloadUserData passes unsanitized input to shell
Impact
Execute arbitrary commands on firmware
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires a low-privilege authenticated session on the Totolink CA750-PoE web management interface - confirmed by CVSS PR:L. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 2.1 is strikingly low for an OS command injection on a network device and warrants scrutiny. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with low-privilege credentials to the Totolink CA750-PoE web interface - potentially default or weak credentials common on consumer routers - sends a crafted HTTP request to /cgi-bin/cstecgi.cgi with a malformed plugin_version parameter containing injected shell metacharacters (e.g., semicolons, backticks, or pipes). The setUnloadUserData function processes the parameter without sanitization and passes it to an OS shell call, executing attacker-controlled commands on the device firmware. …
Remediation No vendor-released patch with a confirmed fix version has been identified at time of analysis. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-9515 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy