CVE-2026-9513: Totolink CA750-PoE Setting cstecgi.cgi NTPSyncWithHost os command injection

Published May 25, 2026

Updated

A weakness has been identified in Totolink CA750-PoE 6.2c.510. This issue affects the function NTPSyncWithHost of the file /cgi-bin/cstecgi.cgi of the component Setting Handler. Executing a manipulation of the argument host_time can lead to os command injection. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks.

Affected Software

1 affected component

TOTOLINK CA750-PoE=6.2c.510

Event History

May 25, 2026

CVE Published

via MITRE·10:30 PM

Data Sourced

via MITRE·10:30 PM

DescriptionSeverityWeakness

Frequently Asked Questions

What is the severity of CVE-2026-9513?

The severity of CVE-2026-9513 is classified as medium with a score of 6.3.

How do I fix CVE-2026-9513?

To fix CVE-2026-9513, update the Totolink CA750-PoE firmware to the latest version provided by the manufacturer.

What type of vulnerability is CVE-2026-9513?

CVE-2026-9513 is an OS command injection vulnerability.

Can CVE-2026-9513 be exploited remotely?

Yes, CVE-2026-9513 can be exploited remotely through manipulation of the host_time argument.

What component of Totolink CA750-PoE is affected by CVE-2026-9513?

CVE-2026-9513 affects the NTPSyncWithHost function in the /cgi-bin/cstecgi.cgi file.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.