CVE-2026-1156

HighPublic PoC

Published: 19 January 2026

Published

19 January 2026

Modified

29 January 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0016 36.8th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability was determined in Totolink LR350 9.3.5u.6369_B20220309. Affected by this issue is the function setWiFiBasicCfg of the file /cgi-bin/cstecgi.cgi. This manipulation of the argument ssid causes buffer overflow. It is possible to initiate the attack remotely. The exploit has…

been publicly disclosed and may be utilized.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly addresses the buffer overflow by validating the 'ssid' argument for correctness, size, and context before processing in the setWiFiBasicCfg function.

SI-16 Memory Protection good match

prevent

Implements memory protection mechanisms like stack guards or address space randomization to prevent exploitation of the buffer overflow even if invalid input reaches the vulnerable CGI endpoint.

SI-2 Flaw Remediation good match

prevent

Requires timely patching of the specific buffer overflow flaw in Totolink LR350 firmware version 9.3.5u.6369_B20220309 to eliminate the vulnerability.

Security SummaryAI

CVE-2026-1156 is a buffer overflow vulnerability affecting the Totolink LR350 router running firmware version 9.3.5u.6369_B20220309. The issue resides in the setWiFiBasicCfg function within the /cgi-bin/cstecgi.cgi file, where improper handling of the 'ssid' argument leads to the overflow. Classified under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-120 (Buffer Copy without Checking Size of Input), it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.

The vulnerability can be exploited remotely by attackers who possess low privileges, such as authenticated users on the network. Exploitation involves manipulating the 'ssid' parameter during a request to the affected CGI endpoint, triggering the buffer overflow. Successful exploitation grants high confidentiality, integrity, and availability impacts, potentially allowing arbitrary code execution, data compromise, or denial of service on the targeted device.

Advisories from VulDB (e.g., ctiid.341750, id.341750) document the vulnerability and reference a publicly disclosed exploit, including a detailed write-up on a Notion site. The Totolink vendor website (totolink.net) provides general support resources, but specific patch details for this firmware version are not outlined in the available references; security practitioners should verify firmware updates directly from the vendor.

Details

CWE(s): CWE-119 CWE-120

Affected Products

totolink

lr350 firmware

9.3.5u.6369_b20220309

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Buffer overflow in the router's web CGI interface (/cgi-bin/cstecgi.cgi) allows remote low-privileged attackers to achieve arbitrary code execution, directly enabling exploitation of a public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://lavender-bicycle-a5a.notion.site/TOTOLINK-LR350-setWiFiBasicCfg-2e453a41781f80a2ad43e85bf5d46659?source=copy_link
Exploit, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.341750
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.341750
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.735722
Third Party Advisory, VDB Entry · cna@vuldb.com
https://www.totolink.net/
Product · cna@vuldb.com