PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-9515 Totolink CVE debrief

A remote OS command injection vulnerability exists in Totolink CA750-PoE firmware version 6.2c.510. The vulnerability resides in the `setUnloadUserData` function within the `/cgi-bin/cstecgi.cgi` Setting Handler component. An authenticated attacker with low privileges can inject arbitrary operating system commands via the `plugin_version` parameter. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no required user interaction, and low impacts across confidentiality, integrity, and availability. The exploit has been publicly disclosed and is confirmed functional. The CVE was published on 2026-05-26 and last modified the same day. The vulnerability is not currently listed in CISA KEV.

Vendor
Totolink
Product
CA750-PoE
CVSS
LOW 2.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-26
Original CVE updated
2026-05-26
Advisory published
2026-05-26
Advisory updated
2026-05-26

Who should care

Network administrators managing Totolink CA750-PoE wireless access points; security teams responsible for IoT/embedded device security; organizations with remote management interfaces exposed to internal or external networks

Technical summary

The `setUnloadUserData` function in `/cgi-bin/cstecgi.cgi` fails to properly sanitize the `plugin_version` parameter before passing it to system shell execution. An attacker with valid credentials can append shell metacharacters and arbitrary commands to achieve remote code execution. The vulnerability requires low privileges and no user interaction, making it suitable for automated exploitation once credentials are obtained.

Defensive priority

medium

Recommended defensive actions

  • Restrict administrative access to the device's web management interface to trusted networks only
  • Implement network segmentation to isolate affected devices from untrusted networks
  • Monitor for suspicious requests to /cgi-bin/cstecgi.cgi containing plugin_version parameters with shell metacharacters
  • Apply firmware updates from Totolink when available
  • Review device logs for unauthorized configuration changes or unexpected process execution

Evidence notes

Vulnerability confirmed via Vuldb submission 813927 and associated technical documentation. CVSS 4.0 vector provided by CNA. Weaknesses mapped to CWE-77 and CWE-78. Vendor attribution based on reference domain candidate 'Vuldb' with low confidence; vendor name marked for review.

Official resources

public