| Title | TOTOLINK WA1200 V5.9c.2914 NULL Pointer Dereference |
|---|
| Description | A NULL pointer dereference vulnerability exists in the cstecgi.cgi CGI program of TOTOLINK WA1200-PoE firmware version V5.9c.2914.
The vulnerability is triggered when handling a crafted HTTP request containing the action=login parameter. During request processing, the CGI application attempts to communicate with a local backend service. If the backend connection fails, the response pointer is not properly validated and remains NULL. The program subsequently passes this NULL pointer to cJSON_Parse() and related JSON access routines without checking its validity, resulting in a segmentation fault.
A remote, unauthenticated attacker can exploit this vulnerability to crash the CGI process, leading to a DoS condition affecting the device’s web management interface. |
|---|
| Source | ⚠️ https://github.com/JackWesleyy/CVE/blob/main/WA1200/TOTOLINK%20WA1200%20NULL%20Pointer%20Dereference%20Vulnerability.md |
|---|
| User | JackWesley (UID 93590) |
|---|
| Submission | 01/07/2026 02:51 (5 months ago) |
|---|
| Moderation | 01/08/2026 16:15 (2 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 340128 [TOTOLINK WA1200 5.9c.2914 HTTP Request cstecgi.cgi null pointer dereference] |
|---|
| Points | 20 |
|---|