CVE-2026-9532 Totolink CVE debrief

Who should care

Network administrators managing Totolink CA750-PoE deployments, security teams responsible for SOHO/SMB network infrastructure, and organizations using these access points for wireless connectivity should prioritize assessment and access restriction measures.

Technical summary

The vulnerability exists in the Setting Handler component of Totolink CA750-PoE firmware version 6.2c.510. The `setUploadUserData` function in `/cgi-bin/cstecgi.cgi` fails to properly sanitize the `FileName` parameter, allowing authenticated attackers to inject arbitrary operating system commands. The attack vector is network-based with low complexity and no user interaction required. Successful exploitation grants limited but tangible impacts across confidentiality, integrity, and availability (all rated LOW per CVSS 4.0). The vulnerability is classified under CWE-77 (Command Injection) and CWE-78 (OS Command Injection).

Defensive priority

medium

Recommended defensive actions

• Restrict administrative interface access to trusted management networks only; disable remote administration if not required
• Implement network segmentation to isolate affected devices from critical infrastructure
• Monitor for anomalous CGI endpoint requests to /cgi-bin/cstecgi.cgi with suspicious FileName parameters
• Apply firmware updates from Totolink when available; verify patch version against 6.2c.510 or later
• Review device configurations for unauthorized changes indicating potential compromise
• resourceLinkAnnotations: [ref-4, ref-6, ref-8]

Evidence notes

Vulnerability identified through coordinated disclosure to VulDB. CVSS 4.0 vector indicates network attack vector, low attack complexity, no user interaction required, and low impacts across confidentiality, integrity, and availability dimensions. CWE-77 and CWE-78 (command injection weaknesses) assigned by CNA.

Official resources