{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/n300rh-6.1c.1353_b20190305/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-9543"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["N300RH 6.1c.1353_B20190305"],"_cs_severities":["critical"],"_cs_tags":["cve","command injection","rce","totolink"],"_cs_type":"advisory","_cs_vendors":["Totolink"],"content_html":"\u003cp\u003eA critical vulnerability, CVE-2026-9543, has been identified in Totolink N300RH router firmware version 6.1c.1353_B20190305. The vulnerability resides within the Web Management Interface, specifically in the \u003ccode\u003e/cgi-bin/cstecgi.cgi\u003c/code\u003e file\u0026rsquo;s \u003ccode\u003esetPasswordCfg\u003c/code\u003e function. By manipulating the \u003ccode\u003eadmpass\u003c/code\u003e argument, a remote attacker can inject arbitrary operating system commands. Publicly available exploit code exists, increasing the risk of exploitation. This vulnerability allows unauthenticated attackers to execute commands on the underlying operating system of the router.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a vulnerable Totolink N300RH router running firmware version 6.1c.1353_B20190305.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003e/cgi-bin/cstecgi.cgi\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eWithin the HTTP request, the attacker manipulates the \u003ccode\u003eadmpass\u003c/code\u003e argument in the \u003ccode\u003esetPasswordCfg\u003c/code\u003e function to include OS command injection payloads.\u003c/li\u003e\n\u003cli\u003eThe web server processes the request and passes the \u003ccode\u003eadmpass\u003c/code\u003e argument to the underlying system.\u003c/li\u003e\n\u003cli\u003eThe injected OS commands are executed with the privileges of the web server process.\u003c/li\u003e\n\u003cli\u003eThe attacker can then execute commands to gain shell access, modify router configurations, or install malware.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the gained access to pivot to other devices on the network or to maintain persistence on the router.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-9543 allows an unauthenticated remote attacker to execute arbitrary operating system commands on the affected Totolink N300RH device. This can lead to complete compromise of the device, potentially enabling attackers to eavesdrop on network traffic, modify router settings, or use the device as a point of entry for further attacks on the internal network. Given the high CVSS score (9.8), this vulnerability poses a significant risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule to detect command injection attempts targeting the \u003ccode\u003e/cgi-bin/cstecgi.cgi\u003c/code\u003e endpoint (see rule \u003ccode\u003eDetect CVE-2026-9543 Exploitation -- Command Injection in Totolink N300RH\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests containing shell metacharacters in the \u003ccode\u003eadmpass\u003c/code\u003e parameter (see rule \u003ccode\u003eDetect CVE-2026-9543 Exploitation -- Shell Metacharacters in admpass Parameter\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eApply any available firmware updates released by Totolink to address this vulnerability.\u003c/li\u003e\n\u003cli\u003eIf firmware updates are not available, consider disabling remote access to the router\u0026rsquo;s web management interface or implementing access control lists to restrict access to trusted IP addresses.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-26T14:20:53Z","date_published":"2026-05-26T14:20:53Z","id":"https://feed.craftedsignal.io/briefs/2026-05-totolink-rce/","summary":"Totolink N300RH version 6.1c.1353_B20190305 is vulnerable to remote command injection via manipulation of the 'admpass' argument in the setPasswordCfg function of the /cgi-bin/cstecgi.cgi file within the Web Management Interface, allowing for remote code execution.","title":"Totolink N300RH Command Injection Vulnerability (CVE-2026-9543)","url":"https://feed.craftedsignal.io/briefs/2026-05-totolink-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — N300RH 6.1c.1353_B20190305","version":"https://jsonfeed.org/version/1.1"}