CVE-2026-9531

Vulnerability

The vulnerability resides in the setUpgradeUboot function within the file /cgi-bin/cstecgi.cgi of the Totolink CA750-PoE router running firmware version 6.2c.510 [1]. The FileName argument is directly passed to an OS command without proper sanitization, leading to command injection. The affected component is the Setting Handler, and the code path is reachable via the web interface without authentication [1].

Exploitation

An attacker can exploit this vulnerability remotely by sending a crafted POST request to /cgi-bin/cstecgi.cgi with a JSON payload containing a malicious FileName value wrapped in backticks (e.g., ` telnetd -l /bin/sh -p 8893 `) [1]. No authentication is required, and the exploit has been publicly disclosed with a proof-of-concept [1].

Impact

Successful exploitation allows an attacker to execute arbitrary OS commands on the router with root privileges, leading to full device compromise. The PoC demonstrates spawning a telnet shell, enabling persistent remote access and further network attacks [1].

Mitigation

As of the publication date, no official patch or firmware update has been released by Totolink [1]. Users should restrict network access to the router's management interface (e.g., via firewall rules) and monitor for suspicious activity. The vendor has not listed this CVE in the Known Exploited Vulnerabilities (KEV) catalog. Until a fix is available, consider replacing the device or disabling remote management if possible [1].