Impact
The vulnerability resides in the setUploadUserData function of /cgi-bin/cstecgi.cgi on the Totolink CA750-PoE. By manipulating the FileName parameter, an attacker can cause arbitrary OS commands to be executed. This is a classic OS and command injection flaw (CWE-77/CWE-78) that could compromise the router's confidentiality, integrity, and availability if successful.
Affected Systems
Affected devices are Totolink CA750-PoE routers running firmware version 6.2c.510. No newer firmware versions were listed in the data, so any device still on this firmware remains vulnerable. The issue is localized to the Setting Handler component of the router firmware.
Risk and Exploitability
With a CVSS score of 5.3, the severity is medium. The EPSS score of 1% suggests the probability of exploitation is low but not negligible, and the vulnerability is openly disclosed, meaning attackers could develop exploits. The flaw is exploitable remotely via the /cgi-bin/cstecgi.cgi endpoint that is typically reachable from outside the network, giving attackers a path to inject and execute arbitrary commands on the device.
OpenCVE Enrichment