VYPR
← All advisories
Critical severity9.8NVD Advisory· Published May 26, 2026· Updated May 26, 2026

CVE-2026-9543

CVE-2026-9543

Description

A vulnerability has been found in Totolink N300RH 6.1c.1353_B20190305. Affected is the function setPasswordCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Such manipulation of the argument admpass leads to os command injection. The attack can be executed remotely. The exploit has been disclosed to the public and may be used.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Pre-auth OS command injection in Totolink N300RH web interface allows remote attackers to execute arbitrary commands.

Vulnerability

An OS command injection vulnerability exists in the setPasswordCfg function of the web management interface (/cgi-bin/cstecgi.cgi) on Totolink N300RH routers running firmware version 6.1c.1353_B20190305. The admpass parameter is not properly sanitized, allowing injection of arbitrary system commands. No authentication is required to reach this endpoint [1].

Exploitation

An attacker can send a crafted HTTP request to the vulnerable endpoint with the admpass parameter containing command injection payloads (e.g., using backticks or shell metacharacters). The exploit is publicly available and does not require any prior authentication or user interaction [1].

Impact

Successful exploitation results in remote code execution (RCE) as the root user, giving the attacker full control over the device. This can lead to complete compromise of network traffic, data exfiltration, or use of the router in botnets [1].

Mitigation

As of the publication date (2026-05-26), no official patch has been released by Totolink. Users are advised to isolate the router from untrusted networks or replace it with a supported model. The CVE is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog [1].

References
  1. GitHub - A1ester/TOTOLINK-N300RH-Command-Injection: A pre‑authentication OS command injection vulnerability exists in the setPasswordCfg functionality exposed via the web management interface (/cgi-bin/cstecgi.cgi) of the TOTOLINK N300RH V4 router.

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.