Attack Chain

1. An unauthenticated attacker identifies a vulnerable Totolink N300RH router running firmware version 6.1c.1353_B20190305.
2. The attacker crafts a malicious HTTP request targeting the /cgi-bin/cstecgi.cgi endpoint.
3. Within the HTTP request, the attacker manipulates the admpass argument in the setPasswordCfg function to include OS command injection payloads.
4. The web server processes the request and passes the admpass argument to the underlying system.
5. The injected OS commands are executed with the privileges of the web server process.
6. The attacker can then execute commands to gain shell access, modify router configurations, or install malware.
7. The attacker uses the gained access to pivot to other devices on the network or to maintain persistence on the router.

Impact

Successful exploitation of CVE-2026-9543 allows an unauthenticated remote attacker to execute arbitrary operating system commands on the affected Totolink N300RH device. This can lead to complete compromise of the device, potentially enabling attackers to eavesdrop on network traffic, modify router settings, or use the device as a point of entry for further attacks on the internal network. Given the high CVSS score (9.8), this vulnerability poses a significant risk.

Recommendation

• Deploy the Sigma rule to detect command injection attempts targeting the /cgi-bin/cstecgi.cgi endpoint (see rule Detect CVE-2026-9543 Exploitation -- Command Injection in Totolink N300RH).
• Monitor web server logs for requests containing shell metacharacters in the admpass parameter (see rule Detect CVE-2026-9543 Exploitation -- Shell Metacharacters in admpass Parameter).
• Apply any available firmware updates released by Totolink to address this vulnerability.
• If firmware updates are not available, consider disabling remote access to the router’s web management interface or implementing access control lists to restrict access to trusted IP addresses.