Description
A security vulnerability has been detected in Totolink CA750-PoE 6.2c.510. The affected element is the function setUploadUserData of the file /cgi-bin/cstecgi.cgi of the component Setting Handler. Such manipulation of the argument FileName leads to os command injection. The attack may be performed from remote. The exploit has been disclosed publicly and may be used.
Published: 2026-05-26
Score: 5.3 Medium
EPSS: 1.8% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the setUploadUserData function of /cgi-bin/cstecgi.cgi on the Totolink CA750-PoE. By manipulating the FileName parameter, an attacker can cause arbitrary OS commands to be executed. This is a classic OS and command injection flaw (CWE-77/CWE-78) that could compromise the router's confidentiality, integrity, and availability if successful.

Affected Systems

Affected devices are Totolink CA750-PoE routers running firmware version 6.2c.510. No newer firmware versions were listed in the data, so any device still on this firmware remains vulnerable. The issue is localized to the Setting Handler component of the router firmware.

Risk and Exploitability

With a CVSS score of 5.3, the severity is medium. The EPSS score of 1% suggests the probability of exploitation is low but not negligible, and the vulnerability is openly disclosed, meaning attackers could develop exploits. The flaw is exploitable remotely via the /cgi-bin/cstecgi.cgi endpoint that is typically reachable from outside the network, giving attackers a path to inject and execute arbitrary commands on the device.

Generated by OpenCVE AI on June 18, 2026 at 07:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the router to a firmware version that includes the fix where available.
  • If no patch exists, block remote access to the /cgi-bin/cstecgi.cgi endpoint through firewall rules or network segmentation.
  • Enable logging and monitor for unusual command execution or POST requests to cstecgi.cgi; investigate or alert on suspicious activity.

Generated by OpenCVE AI on June 18, 2026 at 07:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 26 May 2026 06:30:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in Totolink CA750-PoE 6.2c.510. The affected element is the function setUploadUserData of the file /cgi-bin/cstecgi.cgi of the component Setting Handler. Such manipulation of the argument FileName leads to os command injection. The attack may be performed from remote. The exploit has been disclosed publicly and may be used.
Title Totolink CA750-PoE Setting cstecgi.cgi setUploadUserData os command injection
First Time appeared Totolink
Totolink ca750-poe
Weaknesses CWE-77
CWE-78
CPEs cpe:2.3:a:totolink:ca750-poe:*:*:*:*:*:*:*:*
Vendors & Products Totolink
Totolink ca750-poe
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}


Subscriptions

Totolink Ca750-poe
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-26T12:35:34.673Z

Reserved: 2026-05-25T19:44:11.115Z

Link: CVE-2026-9532

cve-icon Vulnrichment

Updated: 2026-05-26T12:35:31.631Z

cve-icon NVD

Status : Deferred

Published: 2026-05-26T07:16:19.547

Modified: 2026-06-17T11:05:27.210

Link: CVE-2026-9532

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T07:45:03Z

Weaknesses
  • CWE-77

    Improper Neutralization of Special Elements used in a Command ('Command Injection')

  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')