CVE-2026-9533— Totolink CA750-PoE Setting cstecgi.cgi recvUpgradeNewFw os command injection
Possible ATT&CK Techniques 1AI
T1190 · Exploit Public-Facing ApplicationGet alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-9533
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Totolink CA750-PoE Setting cstecgi.cgi recvUpgradeNewFw os command injection
Source: NVD (National Vulnerability Database)
Vulnerability Description
A vulnerability was detected in Totolink CA750-PoE 6.2c.510. The impacted element is the function recvUpgradeNewFw of the file /cgi-bin/cstecgi.cgi of the component Setting Handler. Performing a manipulation of the argument fwUrl/magicid results in os command injection. It is possible to initiate the attack remotely. The exploit is now public and may be used.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Source: NVD (National Vulnerability Database)
Vulnerability Type
OS命令中使用的特殊元素转义处理不恰当(OS命令注入)
Source: NVD (National Vulnerability Database)
Vulnerability Title
TOTOLINK CA750-PoE 操作系统命令注入漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
TOTOLINK CA750-PoE是中国吉翁电子(TOTOLINK)公司的一款无线网络接入设备。 TOTOLINK CA750-PoE 6.2c.510版本存在操作系统命令注入漏洞,该漏洞源于Setting Handler组件中/cgi-bin/cstecgi.cgi文件的recvUpgradeNewFw函数对fwUrl/magicid参数操作不当,可能导致os命令注入。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-9533
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-9533
请登录查看更多情报信息。
News Coverage for CVE-2026-9533 (1)
Same Patch Batch · Totolink · 2026-05-26 · 5 CVEs total
| CVE-2026-9543 | 9.8 CRITICAL | Totolink N300RH Web Management cstecgi.cgi setPasswordCfg os command injection |
| CVE-2026-9534 | 6.3 MEDIUM | Totolink CA750-PoE Setting cstecgi.cgi setWiFiWpsConfig os command injection |
| CVE-2026-9532 | 6.3 MEDIUM | Totolink CA750-PoE Setting cstecgi.cgi setUploadUserData os command injection |
| CVE-2026-9531 | 6.3 MEDIUM | Totolink CA750-PoE Setting cstecgi.cgi setUpgradeUboot os command injection |
IV. Related Vulnerabilities
Same product: CA750-PoE
- CVE-2026-9534
Totolink CA750-PoE Setting cstecgi.cgi setWiFiWpsConfig os c - CVE-2026-9532
Totolink CA750-PoE Setting cstecgi.cgi setUploadUserData os - CVE-2026-9531
Totolink CA750-PoE Setting cstecgi.cgi setUpgradeUboot os co - CVE-2026-9515
Totolink CA750-PoE Setting cstecgi.cgi setUnloadUserData os - CVE-2026-9514
Totolink CA750-PoE Setting cstecgi.cgi setNetworkDiag os com
Same vendor: Totolink
- CVE-2026-9543
Totolink N300RH Web Management cstecgi.cgi setPasswordCfg os - CVE-2026-9534
Totolink CA750-PoE Setting cstecgi.cgi setWiFiWpsConfig os c - CVE-2026-9532
Totolink CA750-PoE Setting cstecgi.cgi setUploadUserData os - CVE-2026-9531
Totolink CA750-PoE Setting cstecgi.cgi setUpgradeUboot os co - CVE-2026-9515
Totolink CA750-PoE Setting cstecgi.cgi setUnloadUserData os
Same weakness: CWE-78
- CVE-2026-44466
Zed: Allowlist Bypass via Bash Arithmetic Expansion in Termi - CVE-2026-44465
Zed: Zed IDE Arbitrary Code Execution via untrusted reposito - CVE-2026-44461
Zed: Remote Command Injection via Unquoted Environment Varia - CVE-2026-4408
Samba: remote code execution in samr - CVE-2026-44604
Rpm: command injection in rpmuncompress dountar() via unesca
V. Comments for CVE-2026-9533
No comments yet