PatchSiren cyber security CVE debrief
CVE-2026-9534 Totolink CVE debrief
A command injection vulnerability in Totolink CA750-PoE 6.2c.510 allows remote attackers to execute arbitrary OS commands via the PIN parameter in the setWiFiWpsConfig function of /cgi-bin/cstecgi.cgi. The vulnerability has a LOW CVSS 4.0 score (2.1) with network attack vector, low attack complexity, and low privileges required. The exploit has been publicly disclosed.
- Vendor
- Totolink
- Product
- CA750-PoE
- CVSS
- LOW 2.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-26
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-26
- Advisory updated
- 2026-05-26
Who should care
Network administrators managing Totolink CA750-PoE wireless access points; security teams responsible for IoT device security; organizations using Totolink networking equipment in production environments
Technical summary
The setWiFiWpsConfig function in /cgi-bin/cstecgi.cgi of Totolink CA750-PoE firmware version 6.2c.510 fails to properly sanitize the PIN parameter, allowing OS command injection. An attacker with low privileges can send a crafted HTTP request to execute arbitrary commands on the device. The vulnerability is remotely exploitable without user interaction.
Defensive priority
low
Recommended defensive actions
- Restrict administrative interface access to trusted networks only
- Disable WPS functionality if not required
- Monitor for suspicious requests to /cgi-bin/cstecgi.cgi containing unusual PIN parameter values
- Apply vendor firmware updates when available
- Consider network segmentation for IoT device management interfaces
Evidence notes
Vulnerability disclosed via VulDB with public exploit reference. CVE status is Deferred in NVD. CVSS 4.0 vector indicates network-accessible attack with low privileges required.
Official resources
public