PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-9514 Totolink CVE debrief

A command injection vulnerability exists in the Totolink CA750-PoE 6.2c.510 firmware. The setNetworkDiag function in /cgi-bin/cstecgi.cgi fails to sanitize user-supplied input for network diagnostic parameters (NetDiagHost, NetDiagPingNum, NetDiagPingSize, NetDiagPingTimeOut, NetDiagTracertHop), allowing authenticated remote attackers to inject arbitrary operating system commands. The vulnerability requires low privileges and no user interaction, with public exploit disclosure increasing immediate risk despite the LOW severity CVSS score. The affected component is the device's web-based setting handler for network diagnostics.

Vendor
Totolink
Product
CA750-PoE
CVSS
LOW 2.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-25
Original CVE updated
2026-05-26
Advisory published
2026-05-25
Advisory updated
2026-05-26

Who should care

Network administrators managing Totolink CA750-PoE wireless access points; security teams responsible for IoT/edge device security; organizations using Totolink infrastructure equipment in production environments.

Technical summary

The setNetworkDiag function in /cgi-bin/cstecgi.cgi of Totolink CA750-PoE 6.2c.510 passes unsanitized attacker-controlled parameters (NetDiagHost, NetDiagPingNum, NetDiagPingSize, NetDiagPingTimeOut, NetDiagTracertHop) directly to underlying system commands, enabling OS command injection. Attack vector is network-based with low attack complexity and low privilege requirements. Public exploit availability confirmed.

Defensive priority

medium

Recommended defensive actions

  • Restrict administrative interface access to trusted management networks only
  • Implement network segmentation to isolate affected devices from critical infrastructure
  • Monitor for anomalous command execution patterns in device logs
  • Apply firmware updates from Totolink when available, verifying patch version against 6.2c.510
  • Disable remote administrative access if not operationally required
  • Review and rotate administrative credentials on affected devices

Evidence notes

Vulnerability confirmed through VulDB CNA submission and public GitHub disclosure. CVSS 4.0 vector indicates network attack vector with low attack complexity and low privileges required. CWE-77 and CWE-78 (command injection) identified as primary weakness types. NVD status marked as 'Deferred' at time of analysis.

Official resources

Public exploit disclosed 2026-05-25