CVE-2026-9543
CRITICALTotolink N300RH Web Management cstecgi.cgi setPasswordCfg os command injection
Title source: cnaDescription
A vulnerability has been found in Totolink N300RH 6.1c.1353_B20190305. Affected is the function setPasswordCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Such manipulation of the argument admpass leads to os command injection. The attack can be executed remotely. The exploit has been disclosed to the public and may be used.
References (5)
Core 5
Core References
Vdb Entry, Technical Description vdb-entry
technical-description
VDB-365607 | Totolink N300RH Web Management cstecgi.cgi setPasswordCfg os command injection
https://vuldb.com/vuln/365607
Signature, Permissions Required signature
permissions-required
VDB-365607 | CTI Indicators (IOB, IOC, TTP, IOA)
https://vuldb.com/vuln/365607/cti
Third Party Advisory third-party-advisory
Submit #815068 | Totolink N300RHv4 V6.1c.1353_B20190305 OS Command Injection
https://vuldb.com/submit/815068
Exploit exploit
https://github.com/A1ester/TOTOLINK-N300RH-Command-Injection
Product product
https://www.totolink.net/
Scores
CVSS v3
9.8
EPSS
0.0213
EPSS Percentile
79.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-77
CWE-78
Status
published
Products (1)
Totolink/N300RH
6.1c.1353_B20190305
Published
May 26, 2026
Tracked Since
May 26, 2026