Description
A vulnerability has been found in Totolink N300RH 6.1c.1353_B20190305. Affected is the function setPasswordCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Such manipulation of the argument admpass leads to os command injection. The attack can be executed remotely. The exploit has been disclosed to the public and may be used.
Published: 2026-05-26
Score: 9.3 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises in the setPasswordCfg function of /cgi-bin/cstecgi.cgi in the Totolink N300RH web management interface. A crafted value for the admpass argument can inject arbitrary OS commands. This results in full remote code execution, compromising confidentiality, integrity, and availability of the device. The vulnerability is rated CVSS 9.3 and is classified as CWE‑77 and CWE‑78.

Affected Systems

The flaw affects Totolink N300RH routers running firmware 6.1c.1353_B20190305. Any device deployed with this firmware variant is potentially vulnerable to the described command injection.

Risk and Exploitability

The exploit is remotely accessible via the web interface. Authentication requirements are not specified in the CVE description, so it is unclear whether an attacker must be authenticated to exploit the flaw. With the vulnerability publicly disclosed, attackers may already be attempting exploitation. EPSS is not available, and the issue is not listed in the CISA KEV catalog. The high CVSS score of 9.3 indicates a very high risk of compromise.

Generated by OpenCVE AI on May 26, 2026 at 15:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the router firmware to the latest Totolink release that eliminates the vulnerable cstecgi.cgi code or removes the admpass parameter handling.
  • If a firmware update is not yet available, disable remote access to the web management interface or restrict it to trusted local networks or specific IP addresses to block external exploitation traffic.
  • Continuously monitor HTTP traffic for requests to /cgi-bin/cstecgi.cgi containing suspicious parameters and configure alerts or blocking rules to detect and prevent injection attempts.

Generated by OpenCVE AI on May 26, 2026 at 15:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Totolink n300rh
Vendors & Products Totolink n300rh

Tue, 26 May 2026 13:45:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in Totolink N300RH 6.1c.1353_B20190305. Affected is the function setPasswordCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Such manipulation of the argument admpass leads to os command injection. The attack can be executed remotely. The exploit has been disclosed to the public and may be used.
Title Totolink N300RH Web Management cstecgi.cgi setPasswordCfg os command injection
First Time appeared Totolink
Totolink n300rh Firmware
Weaknesses CWE-77
CWE-78
CPEs cpe:2.3:o:totolink:n300rh_firmware:*:*:*:*:*:*:*:*
Vendors & Products Totolink
Totolink n300rh Firmware
References
Metrics cvssV2_0

{'score': 10, 'vector': 'AV:N/AC:L/Au:N/C:C/I:C/A:C/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 9.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Totolink N300rh N300rh Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-26T15:20:50.234Z

Reserved: 2026-05-26T06:38:00.625Z

Link: CVE-2026-9543

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-26T14:16:46.333

Modified: 2026-05-26T16:16:31.097

Link: CVE-2026-9543

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T16:00:11Z

Weaknesses