PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-9512 Totolink CVE debrief

A command injection vulnerability exists in the Totolink CA750-PoE 6.2c.510 firmware. The flaw resides in the setPasswordCfg function within /cgi-bin/cstecgi.cgi, where unsanitized input for the admuser and admpass parameters allows remote attackers to execute arbitrary operating system commands. The vulnerability requires authentication (PR:L per CVSS 4.0 vector), limiting its immediate exploitability. Public exploit disclosure occurred on 2026-05-25, with subsequent NVD modification on 2026-05-26. The CVSS 4.0 score of 2.1 (LOW severity) reflects the authenticated nature of the attack vector. No CISA KEV listing or known ransomware campaign use has been identified.

Vendor
Totolink
Product
CA750-PoE
CVSS
LOW 2.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-25
Original CVE updated
2026-05-26
Advisory published
2026-05-25
Advisory updated
2026-05-26

Who should care

Network administrators managing Totolink CA750-PoE access points; security teams responsible for IoT/embedded device security; organizations with remote management interfaces exposed to untrusted networks

Technical summary

The setPasswordCfg function in /cgi-bin/cstecgi.cgi fails to properly sanitize the admuser and admpass parameters, permitting OS command injection. Attackers with valid credentials can remotely execute arbitrary commands on the underlying operating system. The vulnerability affects firmware version 6.2c.510.

Defensive priority

LOW

Recommended defensive actions

  • Restrict administrative access to the management interface to trusted networks only
  • Monitor for unauthorized access attempts to /cgi-bin/cstecgi.cgi
  • Apply firmware updates from Totolink when available
  • Implement network segmentation to isolate affected devices from critical infrastructure
  • Review authentication logs for anomalous administrative activity

Evidence notes

Vulnerability confirmed via VulDB submission (ID 813923) and associated technical reference. CVSS 4.0 vector indicates network attack vector with low attack complexity, but requires prior authentication. CWE-77 and CWE-78 classifications indicate improper neutralization of special elements used in command construction.

Official resources

Public exploit released 2026-05-25; NVD entry modified 2026-05-26