CVE-2026-9512

6.3 MEDIUM

A security flaw has been discovered in Totolink CA750-PoE 6.2c.510

Published: 2026-05-25 · Last updated: 2026-05-26

Severity and scoring

CVSS: 6.3 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-77, CWE-78

Description

A security flaw has been discovered in Totolink CA750-PoE 6.2c.510. This vulnerability affects the function setPasswordCfg of the file /cgi-bin/cstecgi.cgi of the component Setting Handler. Performing a manipulation of the argument admuser/admpass results in os command injection. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-9512
[Other]https://github.com/wudipjq/my_vuln/blob/main/totolink4/vuln_50/50.md
[Other]https://vuldb.com/submit/813923
[Other]https://vuldb.com/vuln/365512
[Other]https://vuldb.com/vuln/365512/cti
[Other]https://www.totolink.net/

Related CVEs

Same CWE

CVE-2026-22313 — The device has a webserver that exposes a REST API authenticated with a token on the management network (9.1 CRITICAL)
CVE-2026-44932 — Passing of unsanitized strings from DHCP replies into the wicked dhcp client before wicked 0.6.79 could be used by attackers operating a ... (8.8 HIGH)
CVE-2024-24909 — Dell OpenManage Integration with Microsoft Windows Admin Center contains a Remote Code Execution vulnerability in the gateway plugin (8.8 HIGH)
CVE-2026-12398 — A command injection vulnerability was found in galaxy_ng (7.5 HIGH)
CVE-2026-5416 — Due to the improper neutralization of special elements used in a name parameter a low privileged remote attacker can exploit a command in... (8.8 HIGH)