CVE-2026-9513

Vulnerability

The vulnerability resides in the NTPSyncWithHost function within the binary system.so, exposed through the CGI endpoint /cgi-bin/cstecgi.cgi on Totolink CA750-PoE routers running firmware version 6.2c.510 [1]. The host_time argument is directly passed into system commands without sanitization, allowing injection of arbitrary OS commands [1]. No authentication is required for the endpoint [1].

Exploitation

An unauthenticated remote attacker can send a crafted POST request to /cgi-bin/cstecgi.cgi with a JSON payload containing a malicious host_time value [1]. For example, setting host_time to '\telnetd -l /bin/sh -p 8890\' causes the router to execute a telnet daemon listening on port 8890 with a root shell [1]. The request must include a valid session cookie (obtainable without authentication) and the header Content-Type: application/x-www-form-urlencoded; charset=UTF-8 [1].

Impact

Successful exploitation results in arbitrary OS command execution as root on the router [1]. An attacker can gain a remote shell, install persistent backdoors, exfiltrate network traffic, pivot to internal networks, or render the device unusable [1].

Mitigation

No official patch has been released as of the publication date (2026-05-25) [1]. The vendor (Totolink) has not responded to the disclosure. Users should restrict remote access to the router's management interface (isolate from the internet), apply strict firewall rules, or replace the device if possible [1].