TOTOLink CA750-PoE OS Command Injection Vulnerability

A command injection vulnerability has been identified in the TOTOLink CA750-PoE router running firmware version 6.2c.510. The issue resides in the Setting Handler component, specifically within the setNetworkDiag function of the cstecgi.cgi file. The vulnerability allows remote attackers to execute arbitrary operating system commands by manipulating several network diagnostic parameters that are directly passed to the system without proper validation.

Impact

Exploitation of this vulnerability leads to unauthorized execution of operating system commands on the affected device, potentially allowing for a full system compromise.

Reproduction

To reproduce this vulnerability, send a POST request to the /cgi-bin/cstecgi.cgi endpoint with a crafted payload that includes the desired command in the NetDiagHost parameter. The router will execute the injected command, such as opening a reverse shell via telnet.