CVE-2026-9543 | THREATINT

Description

A vulnerability has been found in Totolink N300RH 6.1c.1353_B20190305. Affected is the function setPasswordCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Such manipulation of the argument admpass leads to os command injection. The attack can be executed remotely. The exploit has been disclosed to the public and may be used.

PUBLISHED Reserved 2026-05-26 | Published 2026-05-26 | Updated 2026-05-26 | Assigner VulDB

CRITICAL: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

CRITICAL: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R

CRITICAL: 9.8CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R

10.0AV:N/AC:L/Au:N/C:C/I:C/A:C/E:POC/RL:ND/RC:UR

Problem types

OS Command Injection

Command Injection

Product status

6.1c.1353_B20190305

affected

Timeline

2026-05-26:	Advisory disclosed
2026-05-26:	VulDB entry created
2026-05-26:	VulDB entry last update

Credits

a1ester (VulDB User) reporter

References

vuldb.com/submit/815068 exploit

vuldb.com/vuln/365607 (VDB-365607 | Totolink N300RH Web Management cstecgi.cgi setPasswordCfg os command injection) vdb-entry technical-description

vuldb.com/vuln/365607/cti (VDB-365607 | CTI Indicators (IOB, IOC, TTP, IOA)) signature permissions-required

vuldb.com/submit/815068 (Submit #815068 | Totolink N300RHv4 V6.1c.1353_B20190305 OS Command Injection) third-party-advisory

github.com/A1ester/TOTOLINK-N300RH-Command-Injection exploit

www.totolink.net/ product

cve.org (CVE-2026-9543)

nvd.nist.gov (CVE-2026-9543)

Download JSON