Skip to main content

Totolink CA750-PoE CVE-2026-9533

| EUVD-2026-31791 LOW
OS Command Injection (CWE-78)
2026-05-26 VulDB GHSA-mh4r-64r2-gj28
Command Injection Ca750 Poe
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Jun 08, 2026 - 13:02 vuln.today
Severity Changed
May 26, 2026 - 13:37 NVD
MEDIUM LOW
CVSS changed
May 26, 2026 - 13:37 NVD
6.3 (MEDIUM) 2.1 (LOW)

DescriptionCVE.org

A vulnerability was detected in Totolink CA750-PoE 6.2c.510. The impacted element is the function recvUpgradeNewFw of the file /cgi-bin/cstecgi.cgi of the component Setting Handler. Performing a manipulation of the argument fwUrl/magicid results in os command injection. It is possible to initiate the attack remotely. The exploit is now public and may be used.

AnalysisAI

OS command injection in Totolink CA750-PoE firmware 6.2c.510 enables remote attackers with low-level credentials to execute arbitrary operating system commands via the fwUrl and magicid parameters of the recvUpgradeNewFw function within /cgi-bin/cstecgi.cgi. The firmware upgrade Setting Handler fails to sanitize user-supplied input before passing it to the underlying OS shell, exposing the device to command execution. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privilege router credentials
Delivery
Send crafted HTTP request to /cgi-bin/cstecgi.cgi
Exploit
Inject shell metacharacters in fwUrl or magicid parameter
Execution
recvUpgradeNewFw passes unsanitized input to OS shell
Impact
Execute arbitrary commands on device
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Authentication is required - the CVSS 4.0 vector specifies PR:L (Low Privileges Required), meaning the attacker must hold at least a low-privileged authenticated session on the device's management interface before exploitation is possible. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 base score of 2.1 is notably low for a network-accessible OS command injection and warrants scrutiny. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained low-privilege credentials for the Totolink CA750-PoE management interface - via default credentials, credential reuse, or prior phishing - sends a crafted HTTP request to /cgi-bin/cstecgi.cgi targeting the firmware upgrade function, embedding shell metacharacters (e.g., semicolons, backticks, or pipe characters) within the fwUrl or magicid parameter values. The router's CGI handler passes the unsanitized input directly to an OS shell call, executing attacker-controlled commands with the privileges of the web server process. …
Remediation No vendor-released patched firmware version has been identified at time of analysis - no Totolink advisory confirming a fixed firmware build was present in any referenced source. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-9533 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy