Buoy_Yes

**Name of the Vulnerable Software and Affected Versions** Totolink CA750-PoE version 6.2c.510 **Description** A weakness in the Setting Handler component allows remote OS command injection. The issue exists within the `setUpgradeUboot()` function of the '/cgi-bin/cstecgi.cgi' endpoint, where improper manipulation of the `FileName` argument enables the execution of arbitrary operating system commands. This flaw is being actively exploited in real-world attacks to gain unauthorized access and potentially achieve full system compromise. **Recommendations** Update Totolink CA750-PoE version 6.2c.510 to the latest patched version. As a temporary workaround, restrict access to the '/cgi-bin/cstecgi.cgi' endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Totolink CA750-PoE version 6.2c.510 **Description** An OS command injection issue exists in the Setting Handler component. A remote attacker can manipulate the `FileName` argument within the `setUploadUserData()` function of the '/cgi-bin/cstecgi.cgi' endpoint to execute arbitrary operating system commands. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Totolink CA750-PoE version 6.2c.510 **Description** An OS command injection issue exists in the Setting Handler component. A remote attacker can trigger this by manipulating the `fwUrl` or `magicid` arguments within the `recvUpgradeNewFw()` function of the '/cgi-bin/cstecgi.cgi' endpoint. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Totolink CA750-PoE version 6.2c.510 **Description** A flaw in the Setting Handler component allows for remote OS command injection. The issue exists within the `setWiFiWpsConfig()` function of the '/cgi-bin/cstecgi.cgi' endpoint. An attacker can trigger this by manipulating the `PIN` argument. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, restrict access to the '/cgi-bin/cstecgi.cgi' endpoint or avoid using the `PIN` argument within the `setWiFiWpsConfig()` function.

**Name of the Vulnerable Software and Affected Versions** Totolink CA750-PoE version 6.2c.510 **Description** An OS command injection issue exists in the Setting Handler component. A remote attacker can manipulate the `webWlanIdx` argument within the `setWebWlanIdx()` function of the '/cgi-bin/cstecgi.cgi' endpoint to execute arbitrary operating system commands. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Totolink CA750-PoE version 6.2c.510 **Description** An OS command injection issue exists in the Setting Handler component. A remote attacker can exploit this by manipulating the `plugin version` argument within the `setUnloadUserData()` function of the '/cgi-bin/cstecgi.cgi' endpoint. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Totolink CA750-PoE version 6.2c.510 **Description** A security flaw in the Setting Handler component allows for remote OS command injection. This occurs through the manipulation of the `admuser` and `admpass` arguments within the `setPasswordCfg()` function of the '/cgi-bin/cstecgi.cgi' endpoint. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Totolink CA750-PoE version 6.2c.510 **Description** A weakness in the Setting Handler component allows for remote OS command injection. This occurs through the manipulation of the `host time` argument within the `NTPSyncWithHost()` function of the '/cgi-bin/cstecgi.cgi' endpoint. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Totolink CA750-PoE version 6.2c.510 **Description** An OS command injection issue exists in the Setting Handler component. The `setNetworkDiag()` function within the '/cgi-bin/cstecgi.cgi' endpoint fails to properly sanitize several arguments, allowing a remote attacker to execute arbitrary operating system commands. The affected variables include `NetDiagHost`, `NetDiagPingNum`, `NetDiagPingSize`, `NetDiagPingTimeOut`, and `NetDiagTracertHop`. **Recommendations** As a temporary workaround, restrict access to the '/cgi-bin/cstecgi.cgi' endpoint or disable the `setNetworkDiag()` function until a fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.