CVE-2026-9533

Vulnerability

The vulnerability resides in the recvUpgradeNewFw function within the file /cgi-bin/cstecgi.cgi of the Totolink CA750-PoE router running firmware version 6.2c.510. The function does not sanitize the fwUrl and magicid arguments, allowing an attacker to inject arbitrary OS commands. The code path is reachable via the setting/recvUpgradeNewFw topic URL [1].

Exploitation

An attacker can exploit this vulnerability remotely without authentication by sending a crafted POST request to /cgi-bin/cstecgi.cgi. The request includes a JSON payload with the fwUrl parameter containing backtick-enclosed commands. For example, setting fwUrl to ` telnetd -l /bin/sh -p 8895 ` will cause the router to execute the command, spawning a telnet shell on port 8895. The exploit is publicly available [1].

Impact

Successful exploitation allows an attacker to execute arbitrary OS commands on the router with root privileges. This can lead to full compromise of the device, including data exfiltration, further network attacks, or persistent backdoor access [1].

Mitigation

As of the publication date (2026-05-26), no official patch has been released by Totolink. Users should monitor the vendor's website for firmware updates. Until a fix is available, consider restricting access to the router's management interface to trusted networks only, or disabling remote management if not required. The vulnerability is publicly known and may be actively exploited [1].