Description
A vulnerability was detected in Totolink CA750-PoE 6.2c.510. The impacted element is the function recvUpgradeNewFw of the file /cgi-bin/cstecgi.cgi of the component Setting Handler. Performing a manipulation of the argument fwUrl/magicid results in os command injection. It is possible to initiate the attack remotely. The exploit is now public and may be used.
Published: 2026-05-26
Score: 5.3 Medium
EPSS: 1.1% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The attack vector involves manipulating the fwUrl or magicid parameters in the recvUpgradeNewFw function within the Setting Handler component. A remote attacker can trigger an OS command injection (CWE‑77) through malformed input, and the vulnerability also permits path traversal to execute arbitrary system commands (CWE‑78), allowing execution of arbitrary system commands on the device. This vulnerability compromises confidentiality, integrity, and availability of the affected router.

Affected Systems

Affected systems include Totolink CA750-PoE models running firmware version 6.2c.510. No other versions or variants are listed; the recommended firmware upgrade would need to be verified.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity. The EPSS score of 0.05 (5%) suggests a low but non-zero probability of exploitation, and the vulnerability is not listed in CISA KEV, implying no known active exploitation. However, the public exploit is available, and the remote nature of the attack means any network connectivity to the device could allow exploitation.

Generated by OpenCVE AI on June 1, 2026 at 14:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the device to the latest firmware from Totolink that mitigates the recvUpgradeNewFw command injection.
  • Configure firewalls or network segmentation to block remote access to the device’s web interface and the /cgi-bin directory if an update is unavailable.
  • Implement input validation or disable the vulnerable cgi handler to prevent manipulation of the fwUrl/magicid parameters.

Generated by OpenCVE AI on June 1, 2026 at 14:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 26 May 2026 06:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in Totolink CA750-PoE 6.2c.510. The impacted element is the function recvUpgradeNewFw of the file /cgi-bin/cstecgi.cgi of the component Setting Handler. Performing a manipulation of the argument fwUrl/magicid results in os command injection. It is possible to initiate the attack remotely. The exploit is now public and may be used.
Title Totolink CA750-PoE Setting cstecgi.cgi recvUpgradeNewFw os command injection
First Time appeared Totolink
Totolink ca750-poe
Weaknesses CWE-77
CWE-78
CPEs cpe:2.3:a:totolink:ca750-poe:*:*:*:*:*:*:*:*
Vendors & Products Totolink
Totolink ca750-poe
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Totolink Ca750-poe
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-27T20:01:48.548Z

Reserved: 2026-05-25T19:44:13.759Z

Link: CVE-2026-9533

cve-icon Vulnrichment

Updated: 2026-05-27T20:01:44.711Z

cve-icon NVD

Status : Deferred

Published: 2026-05-26T07:16:19.743

Modified: 2026-05-26T18:59:55.850

Link: CVE-2026-9533

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-01T14:45:26Z

Weaknesses
  • CWE-77

    Improper Neutralization of Special Elements used in a Command ('Command Injection')

  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')