PT-2026-43194 · Totolink · Ca750-Poe
Buoy_Yes
·
Published
2026-05-26
·
Updated
2026-05-26
·
CVE-2026-9534
CVSS v2.0
6.5
Medium
| Vector | AV:N/AC:L/Au:S/C:P/I:P/A:P |
Name of the Vulnerable Software and Affected Versions
Totolink CA750-PoE version 6.2c.510
Description
A flaw in the Setting Handler component allows for remote OS command injection. The issue exists within the
setWiFiWpsConfig() function of the '/cgi-bin/cstecgi.cgi' endpoint. An attacker can trigger this by manipulating the PIN argument.Recommendations
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
As a temporary workaround, restrict access to the '/cgi-bin/cstecgi.cgi' endpoint or avoid using the
PIN argument within the setWiFiWpsConfig() function.Exploit
OS Command Injection
Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Ca750-Poe