Description
A vulnerability was detected in Totolink CA750-PoE 6.2c.510. The affected element is the function setUnloadUserData of the file /cgi-bin/cstecgi.cgi of the component Setting Handler. The manipulation of the argument plugin_version results in os command injection. The attack may be launched remotely. The exploit is now public and may be used.
Published: 2026-05-25
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the SetUnloadUserData function found in the /cgi-bin/cstecgi.cgi script of the CA750‑PoE router. By manipulating the HTTP request parameter plugin_version, an external attacker may inject arbitrary operating‑system commands. This enables remote execution of commands on the device, potentially granting full control over the router's operating system and any connected network traffic. The weakness is classified as OS Command Injection (CWE‑77 and CWE‑78).

Affected Systems

The affected device is the Totolink CA750‑PoE router running firmware version 6.2c.510. No other product or version information is disclosed in the advisory.

Risk and Exploitability

The CVSS base score is 5.3, indicating moderate severity. The EPSS value is not available, and the vulnerability is not listed in the CISA KEV catalog. The attack can be launched remotely by sending a crafted HTTP request to the infected endpoint; the exploit is publicly available and has already been demonstrated in the wild. Given the remote nature and the ability to run arbitrary commands, the potential impact on confidentiality, integrity, and availability is significant for any individual who can reach the device over the network.

Generated by OpenCVE AI on May 26, 2026 at 00:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor’s firmware update that addresses the command injection flaw before deployment.
  • If a patch is not yet available, configure the router’s firewall or ACLs to restrict access to the /cgi-bin/cstecgi.cgi endpoint to trusted management networks.
  • Configure the device to perform rigorous input validation or disable the plugin_version parameter entirely if the functionality is unnecessary.
  • Monitor the device’s system logs for unexpected CGI execution attempts and investigate any anomalies promptly.

Generated by OpenCVE AI on May 26, 2026 at 00:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 25 May 2026 23:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in Totolink CA750-PoE 6.2c.510. The affected element is the function setUnloadUserData of the file /cgi-bin/cstecgi.cgi of the component Setting Handler. The manipulation of the argument plugin_version results in os command injection. The attack may be launched remotely. The exploit is now public and may be used.
Title Totolink CA750-PoE Setting cstecgi.cgi setUnloadUserData os command injection
First Time appeared Totolink
Totolink ca750-poe
Weaknesses CWE-77
CWE-78
CPEs cpe:2.3:a:totolink:ca750-poe:*:*:*:*:*:*:*:*
Vendors & Products Totolink
Totolink ca750-poe
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Totolink Ca750-poe
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-25T23:15:13.488Z

Reserved: 2026-05-25T15:08:56.070Z

Link: CVE-2026-9515

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T00:30:26Z

Weaknesses