VYPR
← All advisories
Medium severity6.3NVD Advisory· Published May 26, 2026

CVE-2026-9515

CVE-2026-9515

Description

A vulnerability was detected in Totolink CA750-PoE 6.2c.510. The affected element is the function setUnloadUserData of the file /cgi-bin/cstecgi.cgi of the component Setting Handler. The manipulation of the argument plugin_version results in os command injection. The attack may be launched remotely. The exploit is now public and may be used.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A command injection vulnerability in Totolink CA750-PoE firmware 6.2c.510 allows remote attackers to execute arbitrary OS commands via the plugin_version parameter.

Vulnerability

The vulnerability resides in the setUnloadUserData function within /cgi-bin/cstecgi.cgi of the Totolink CA750-PoE router running firmware version 6.2c.510. The plugin_version argument is passed directly to a system command without sanitization, leading to OS command injection. The affected handler is part of the Setting component. The issue is described in reference [1].

Exploitation

An attacker can send a crafted HTTP POST request to /cgi-bin/cstecgi.cgi with a malicious plugin_version value. The attack is remote, requires no authentication, and leverages a public proof-of-concept that sets plugin_version to \telnetd -l /bin/sh -p 8892\` to spawn a reverse shell. The request uses JSON payload with topicurl set to setting/setUnloadUserData` [1].

Impact

Successful exploitation grants the attacker remote command execution on the router as root (or equivalent privileged user). This can lead to full device compromise, including data exfiltration, network pivoting, and persistent access.

Mitigation

No official fix has been released by Totolink as per the available reference [1]. Users are advised to monitor the vendor for firmware updates. As a workaround, restrict access to the management interface to trusted IPs only, or disable remote administration if not required. The vulnerability has been publicly disclosed and a PoC is available, increasing exploitation risk.

References
  1. my_vuln/totolink4/vuln_53/53.md at main · wudipjq/my_vuln

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

5

News mentions

0

No linked articles in our index yet.