Skip to main content

Totolink CA750-PoE CVE-2026-9534

| EUVD-2026-31796 LOW
OS Command Injection (CWE-78)
2026-05-26 VulDB GHSA-2wm4-fmvg-pxj4
Command Injection Ca750 Poe
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Jun 08, 2026 - 13:02 vuln.today
Severity Changed
May 26, 2026 - 13:37 NVD
MEDIUM LOW
CVSS changed
May 26, 2026 - 13:37 NVD
6.3 (MEDIUM) 2.1 (LOW)

DescriptionCVE.org

A flaw has been found in Totolink CA750-PoE 6.2c.510. This affects the function setWiFiWpsConfig of the file /cgi-bin/cstecgi.cgi of the component Setting Handler. Executing a manipulation of the argument PIN can lead to os command injection. It is possible to launch the attack remotely. The exploit has been published and may be used.

AnalysisAI

OS command injection in Totolink CA750-PoE 6.2c.510 allows a low-privileged remote attacker to execute arbitrary operating system commands by manipulating the PIN argument passed to the setWiFiWpsConfig function within /cgi-bin/cstecgi.cgi. The attack requires no user interaction and is reachable over the network, making it a credible threat to any deployment exposing the device's management interface. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privilege device credentials
Delivery
Send crafted HTTP POST to /cgi-bin/cstecgi.cgi
Exploit
Inject shell metacharacters in PIN argument
Execution
setWiFiWpsConfig passes input unsanitized to OS command
Impact
Execute arbitrary commands on device firmware
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The attack requires the attacker to hold a valid low-privilege authenticated session on the Totolink CA750-PoE web management interface (confirmed by PR:L in the CVSS 4.0 vector). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The risk picture here is internally inconsistent and warrants careful interpretation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained low-privilege credentials to the Totolink CA750-PoE management interface - whether through credential stuffing against a default password, prior phishing, or internal network access - sends a crafted HTTP POST request to /cgi-bin/cstecgi.cgi with the setWiFiWpsConfig action and a maliciously constructed PIN value containing shell metacharacters (e.g., semicolons, backticks, or pipe characters). The firmware passes the unsanitized PIN to an OS command without escaping, executing the attacker's payload in the device's shell context. …
Remediation No vendor-released patch has been identified at time of analysis - no fixed firmware version appears in any referenced source, including VulDB (https://vuldb.com/vuln/365561) or the NVD entry (https://nvd.nist.gov/vuln/detail/CVE-2026-9534). … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-9534 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy