CVE-2026-9532

Vulnerability

The vulnerability resides in the setUploadUserData function within the file /cgi-bin/cstecgi.cgi on Totolink CA750-PoE routers running firmware version 6.2c.510. The FileName argument is not sanitized before being passed to a system shell, allowing an attacker to inject arbitrary OS commands through a crafted POST request to the setting/setUploadUserData endpoint. The affected component is the Setting Handler [1].

Exploitation

An attacker can exploit this vulnerability remotely without authentication by sending a crafted HTTP POST request to /cgi-bin/cstecgi.cgi with a JSON payload containing a FileName parameter embedded with shell metacharacters. For example, setting FileName to ` telnetd -l /bin/sh -p 8894 ` causes the router to execute the command and spawn a reverse shell on port 8894 [1]. No special network position or user interaction is required beyond network access to the device's web interface.

Impact

Successful exploitation allows an attacker to execute arbitrary OS commands on the router with root privileges, leading to full compromise of the device. This could result in unauthorized access, data exfiltration, denial of service, or use of the router as a pivot for further network attacks. The impact is high, as the router often serves as a gateway for the local network [1].

Mitigation

No official patch or fixed firmware version has been released by Totolink as of the publication date. The vendor has not acknowledged the vulnerability or provided a timeline for a fix. As a workaround, users may restrict remote access to the router's management interface to trusted networks or disable remote management if not required. The CVE is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog at this time [1].