CVE-2026-9511

Vulnerability

The vulnerability resides in the setWebWlanIdx function of the TOTOLINK CA750-PoE router running firmware version 6.2c.510. The function is accessible via the /cgi-bin/cstecgi.cgi endpoint in the Setting Handler component. The argument webWlanIdx is passed directly into a system call without proper sanitization, leading to OS command injection [1]. This affects all devices with this firmware version.

Exploitation

An attacker can send a crafted POST request to /cgi-bin/cstecgi.cgi with a malicious webWlanIdx parameter containing arbitrary OS commands enclosed in backticks. The attack is remote and does not require authentication [1]. For example, the payload telnetd -l /bin/sh -p 1111 can be injected to start a Telnet service on the device [1]. A proof-of-concept request shows the injection works by embedding the payload in the PIN field of a JSON body [1].

Impact

Successful exploitation allows an attacker to execute arbitrary OS commands on the router with root privileges. This can lead to full device compromise, including remote shell access, modification of configuration, and potential lateral movement within the network [1].

Mitigation

As of the publication date (2026-05-25), no official patch or fixed version has been released by TOTOLINK. The vendor has not responded to the report [1]. A potential workaround is to restrict remote access to the management interface to trusted networks only, or to disable the affected functionality if feasible. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of May 2026.