CVE-2026-1155

HighPublic PoC

Published: 19 January 2026

Published

19 January 2026

Modified

29 January 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0016 36.8th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability was found in Totolink LR350 9.3.5u.6369_B20220309. Affected by this vulnerability is the function setWiFiEasyGuestCfg of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument ssid results in buffer overflow. The attack may be performed from remote. The exploit has…

been made public and could be used.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely installation of vendor firmware patches to remediate the specific buffer overflow vulnerability in setWiFiEasyGuestCfg.

SI-10 Information Input Validation good match

prevent

Mandates validation and bounds checking of the 'ssid' argument to directly prevent the buffer overflow triggered by oversized input.

SI-16 Memory Protection good match

prevent

Deploys memory protection features like stack canaries, ASLR, and non-executable stacks to block exploitation of the buffer overflow for code execution.

Security SummaryAI

CVE-2026-1155 is a buffer overflow vulnerability affecting the Totolink LR350 router running firmware version 9.3.5u.6369_B20220309. The issue resides in the setWiFiEasyGuestCfg function within the /cgi-bin/cstecgi.cgi file, where manipulation of the 'ssid' argument triggers the overflow. Associated with CWE-119 and CWE-120, it has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for remote exploitation.

Attackers with low privileges (PR:L) can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation grants high impacts on confidentiality, integrity, and availability, potentially allowing arbitrary code execution, data compromise, or device disruption. A public exploit is available, increasing the risk of widespread abuse.

Advisories from VulDB (including ctiid.341749 and id.341749) document the vulnerability and recent submissions, while the vendor's site at totolink.net may provide patch information or updates. Security practitioners should reference these sources for mitigation guidance, such as firmware upgrades, and apply network segmentation to limit exposure.

The public disclosure of an exploit on a Notion page heightens the urgency for affected devices, as real-world exploitation is feasible given the remote nature and privilege requirements.

Details

CWE(s): CWE-119 CWE-120

Affected Products

totolink

lr350 firmware

9.3.5u.6369_b20220309

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability is a remotely exploitable buffer overflow in a router's public-facing web CGI interface (/cgi-bin/cstecgi.cgi), directly enabling T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://lavender-bicycle-a5a.notion.site/TOTOLINK-LR350-setWiFiEasyGuestCfg-2e453a41781f8034bae3d1a11066a8fb?source=copy_link
Exploit, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.341749
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.341749
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.735718
Third Party Advisory, VDB Entry · cna@vuldb.com
https://www.totolink.net/
Product · cna@vuldb.com