PatchSiren cyber security CVE debrief
CVE-2026-9543 Totolink CVE debrief
A command injection vulnerability in the Totolink N300RH wireless router allows unauthenticated remote attackers to execute arbitrary operating system commands via the Web Management Interface. The vulnerability resides in the `setPasswordCfg` function of `/cgi-bin/cstecgi.cgi`, where the `admpass` parameter is passed unsanitized to a shell command. The CVSS 4.0 score of 8.9 (HIGH) reflects network attack vector with low complexity, no privileges required, and high impact to confidentiality, integrity, and availability. The exploit has been publicly disclosed, increasing immediate risk. The affected firmware version is 6.1c.1353_B20190305. No patch is currently confirmed available; the CVE status is Deferred per NVD.
- Vendor
- Totolink
- Product
- N300RH
- CVSS
- HIGH 8.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-26
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-26
- Advisory updated
- 2026-05-26
Who should care
Network administrators managing Totolink N300RH deployments; SOHO and residential users with this router model; security teams responsible for IoT/edge device protection; MSSPs monitoring consumer-grade network equipment
Technical summary
The Totolink N300RH router firmware 6.1c.1353_B20190305 contains an OS command injection vulnerability in the `setPasswordCfg` function of `/cgi-bin/cstecgi.cgi`. The `admpass` parameter is passed directly to shell execution without proper sanitization, allowing remote attackers to inject arbitrary commands. The attack requires no authentication and can be executed remotely over the network. The vulnerability is classified under CWE-77 (Command Injection) and CWE-78 (OS Command Injection).
Defensive priority
HIGH
Recommended defensive actions
- Restrict network access to the Totolink N300RH Web Management Interface; disable WAN-side management if enabled
- Deploy network segmentation to isolate affected routers from critical infrastructure
- Monitor for suspicious requests to `/cgi-bin/cstecgi.cgi` containing shell metacharacters in the `admpass` parameter
- Apply firmware updates from Totolink when available; verify version postdates 6.1c.1353_B20190305
- Consider replacement if vendor patch timeline is unacceptable given public exploit availability
Evidence notes
Vulnerability identified in Totolink N300RH firmware 6.1c.1353_B20190305. Command injection via `admpass` parameter in `setPasswordCfg` function of `/cgi-bin/cstecgi.cgi`. CVSS 4.0 vector: AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/E:P. CWE-77 and CWE-78 classified. Exploit published to GitHub. NVD status: Deferred.
Official resources
Public exploit disclosure confirmed; no known active exploitation in CISA KEV