PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-9513 Totolink CVE debrief

A command injection vulnerability exists in the NTPSyncWithHost function of the /cgi-bin/cstecgi.cgi endpoint on Totolink CA750-PoE devices running firmware version 6.2c.510. The host_time parameter accepts unsanitized input that is passed to a shell command, enabling authenticated remote attackers to execute arbitrary operating system commands. The vulnerability requires low privileges and no user interaction, with network-based attack vector. Public exploit availability increases practical risk despite the LOW CVSS severity rating. The affected component is the Setting Handler's NTP synchronization functionality.

Vendor
Totolink
Product
CA750-PoE
CVSS
LOW 2.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-25
Original CVE updated
2026-05-26
Advisory published
2026-05-25
Advisory updated
2026-05-26

Who should care

Network administrators managing Totolink CA750-PoE wireless access points; security teams responsible for network infrastructure hardening; organizations using these devices in production environments

Technical summary

The NTPSyncWithHost function in /cgi-bin/cstecgi.cgi fails to sanitize the host_time parameter before passing it to a shell command execution context. An authenticated attacker can inject shell metacharacters to execute arbitrary OS commands with the privileges of the web server process. The vulnerability is remotely exploitable with low privileges and requires no user interaction.

Defensive priority

medium

Recommended defensive actions

  • Restrict administrative access to the web management interface to trusted networks only
  • Implement network segmentation to isolate affected devices from untrusted networks
  • Monitor for suspicious requests to /cgi-bin/cstecgi.cgi containing shell metacharacters in host_time parameter
  • Apply vendor firmware updates when available
  • Disable remote web administration if not required
  • Review device logs for unauthorized NTP configuration changes

Evidence notes

Vulnerability disclosed via VulDB with public exploit reference. CVSS 4.0 vector indicates network attack vector, low attack complexity, low privileges required, and no user interaction. CWE-77 and CWE-78 (command injection) identified as root cause. Exploit marked as publicly available per source metadata.

Official resources

2026-05-25