CVE-2026-0731
Published: 08 January 2026
Summary
CVE-2026-0731 is a medium-severity Improper Resource Shutdown or Release (CWE-404) vulnerability in Totolink Wa1200-Poe. Its CVSS base score is 5.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-0731 is a null pointer dereference vulnerability (CWE-404, CWE-476) in TOTOLINK WA1200 firmware version 5.9c.2914. The flaw affects an unknown function within the cstecgi.cgi file of the HTTP Request Handler component.
The vulnerability enables remote exploitation without authentication or user interaction. Attackers with network access can trigger the issue, resulting in a denial-of-service condition through application crash, as reflected in its CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
Advisories note that the exploit has been publicly disclosed and may be used, with a proof-of-concept available in a GitHub repository linked in the references, alongside VulDB entries documenting the issue. No patches or specific mitigations are mentioned in the provided details.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-1818
Vulnerability details
A vulnerability has been found in TOTOLINK WA1200 5.9c.2914. The impacted element is an unknown function of the file cstecgi.cgi of the component HTTP Request Handler. The manipulation leads to null pointer dereference. The attack is possible to be carried…
more
out remotely. The exploit has been disclosed to the public and may be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated null pointer dereference in HTTP handler (cstecgi.cgi) directly enables exploitation of public-facing application for endpoint DoS via crash.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly protects against remote unauthenticated requests that trigger null pointer dereference crashes in the HTTP handler, mitigating the resulting DoS condition.
Requires validation of inputs to cstecgi.cgi to reject malformed requests that cause the null pointer dereference.
Ensures the HTTP Request Handler performs graceful error handling rather than crashing on null pointer dereference.