Medium severity6.3NVD Advisory· Published May 26, 2026

CVE-2026-9534

Description

A flaw has been found in Totolink CA750-PoE 6.2c.510. This affects the function setWiFiWpsConfig of the file /cgi-bin/cstecgi.cgi of the component Setting Handler. Executing a manipulation of the argument PIN can lead to os command injection. It is possible to launch the attack remotely. The exploit has been published and may be used.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

TOTOLINK CA750-PoE firmware v6.2c.510 has an OS command injection in the setWiFiWpsConfig function via the PIN parameter, leading to remote unauthenticated RCE.

Vulnerability

The vulnerability resides in the setWiFiWpsConfig function of the /cgi-bin/cstecgi.cgi endpoint in TOTOLINK CA750-PoE routers running firmware version 6.2c.510 [1]. The function directly passes the user-supplied PIN argument to OS-level commands without sanitization, enabling command injection. No authentication or special configuration is required to reach the vulnerable code path; the endpoint is exposed to remote unauthenticated attackers [1].

Exploitation

An unauthenticated remote attacker can exploit the flaw by sending a crafted HTTP POST request to /cgi-bin/cstecgi.cgi with a JSON payload containing a malicious PIN value. As demonstrated in the published proof of concept (PoC), setting the PIN to ` telnetd -l /bin/sh -p 8896 causes the router to execute the attacker-supplied command in backticks, launching a telnet daemon on port 8896 that provides a remote shell [1]. The request uses Content-Type: application/x-www-form-urlencoded; charset=UTF-8` and includes a valid session cookie, though authentication is not enforced for this endpoint [1].

Impact

Successful exploitation grants the attacker remote, unauthenticated arbitrary OS command execution as root on the affected router. The PoC specifically demonstrates gaining an interactive shell via telnet, leading to full device compromise [1]. Attackers could then pivot within the network, exfiltrate data, or plant persistent malware.

Mitigation

As of the publication date (2026-05-26), no official firmware update from TOTOLINK has been announced for this vulnerability [1]. The reference suggests implementing input validation on the PIN parameter to prevent command injection [1]. Until a patch is released, mitigating measures include restricting remote access to the router's management interface, blocking the endpoint /cgi-bin/cstecgi.cgi via firewall rules, or replacing the device with one that receives ongoing security support. This vulnerability is not known to be listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of this writing.

References

my_vuln/totolink4/vuln_57/57.md at main · wudipjq/my_vuln

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Dlink/DIR-816references
Totolink/CA750-PoEllm-create
Range: = 6.2c.510

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

cvss	0.410
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000