PT-2026-43194 · Totolink · Ca750-Poe

Buoy_Yes

·

Published

2026-05-26

·

Updated

2026-05-26

·

CVE-2026-9534

CVSS v2.0

6.5

Medium

VectorAV:N/AC:L/Au:S/C:P/I:P/A:P
Name of the Vulnerable Software and Affected Versions Totolink CA750-PoE version 6.2c.510
Description A flaw in the Setting Handler component allows for remote OS command injection. The issue exists within the setWiFiWpsConfig() function of the '/cgi-bin/cstecgi.cgi' endpoint. An attacker can trigger this by manipulating the PIN argument.
Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, restrict access to the '/cgi-bin/cstecgi.cgi' endpoint or avoid using the PIN argument within the setWiFiWpsConfig() function.

Exploit

OS Command Injection

Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-9534

Affected Products

Ca750-Poe