Totolink CA750-PoE: Nine OS Command Injection CVEs Land in a Single Batch

Key findings

• All nine CVEs are OS command injection flaws in the same CGI handler (cstecgi.cgi)
• Every CVE carries a CVSSv3 score of 6.3 (Medium) with publicly available exploits
• Affected firmware version is 6.2c.510; no patched release has been issued yet
• Attack surface spans nine distinct functions from firmware upgrade to password config
• All attacks are remotely exploitable with no authentication required

On May 25–26, 2026, nine CVEs were published for the Totolink CA750-PoE router (firmware version 6.2c.510), every single one an OS command injection flaw in the device's /cgi-bin/cstecgi.cgi Setting Handler. All nine carry a CVSSv3 score of 6.3 (Medium) and, critically, each has a publicly available exploit. The batch represents a concentrated disclosure event targeting a single attack surface — the router's web-based configuration interface — and puts every unpatched CA750-PoE unit at risk of remote compromise.

The vulnerabilities span nine distinct functions within the same CGI endpoint, but they share a common root cause: unsanitized user-supplied arguments are passed to operating-system-level commands. The affected functions and their manipulated arguments are:

• **setWiFiWpsConfig** — PIN argument (CVE-2026-9534)
• **recvUpgradeNewFw** — fwUrl and magicid arguments (CVE-2026-9533)
• **setUploadUserData** — FileName argument (CVE-2026-9532)
• **setUpgradeUboot** — FileName argument (CVE-2026-9531)
• **setUnloadUserData** — plugin_version argument (CVE-2026-9515)
• **setNetworkDiag** — NetDiagHost, NetDiagPingNum, NetDiagPingSize, NetDiagPingTimeOut, and NetDiagTracertHop arguments (CVE-2026-9514)
• **NTPSyncWithHost** — host_time argument (CVE-2026-9513)
• **setPasswordCfg** — admuser and admpass arguments (CVE-2026-9512)
• **setWebWlanIdx** — webWlanIdx argument (CVE-2026-9511)

The pattern is unmistakable: the cstecgi.cgi handler passes attacker-controlled input directly into shell commands without sanitization or escaping. Functions as diverse as firmware upgrade (recvUpgradeNewFw), NTP synchronization (NTPSyncWithHost), network diagnostics (setNetworkDiag), and password configuration (setPasswordCfg) all exhibit the same flaw. This suggests a systemic lack of input validation across the entire CGI interface rather than isolated coding mistakes.

All nine attacks can be launched remotely — no authentication requirement is mentioned in the CVE descriptions, which is consistent with many Totolink embedded-device vulnerabilities where the CGI interface is exposed on the LAN (and often the WAN) side. An unauthenticated attacker who can reach the router's web interface can inject arbitrary OS commands by crafting a malicious HTTP request to any of the affected endpoints.

The exploit for each CVE has been published publicly, lowering the barrier to weaponization. While no in-the-wild exploitation campaigns have been reported in the disclosure materials, the availability of working proof-of-concept code means that active scanning for vulnerable CA750-PoE units is likely imminent.

As of the disclosure date, Totolink has not released a patched firmware version for the CA750-PoE. Users running firmware 6.2c.510 — the only version cited across all nine CVEs — should consider the device compromised if it is reachable from untrusted networks. Mitigations in the absence of a vendor patch include: restricting access to the router's web interface to trusted local IPs only, disabling remote management if the feature is available, and monitoring for unexpected outbound connections that could indicate a successful injection.

This batch underscores a recurring problem in the IoT and SOHO-router space: a single firmware build harboring a systemic command-injection vulnerability class across nearly every configuration handler. For Totolink CA750-PoE owners, the disclosure is a clear signal that the device's web management interface cannot be trusted until a comprehensive firmware update addresses input sanitization across the entire cstecgi.cgi code path.