CVE-2026-1157

HighPublic PoC

Published: 19 January 2026

Published

19 January 2026

Modified

29 January 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0016 36.8th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability was identified in Totolink LR350 9.3.5u.6369_B20220309. This affects the function setWiFiEasyCfg of the file /cgi-bin/cstecgi.cgi. Such manipulation of the argument ssid leads to buffer overflow. It is possible to launch the attack remotely. The exploit is publicly available…

and might be used.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

preventrecover

Timely firmware updates directly remediate the buffer overflow in setWiFiEasyCfg by patching the improper ssid argument handling.

SI-10 Information Input Validation good match

prevent

Validates the ssid input to the cgi-bin/cstecgi.cgi script, preventing buffer overflows from oversized or malformed arguments.

SI-16 Memory Protection partial match

prevent

Mitigates buffer overflow exploitation through memory protections like stack canaries and non-executable stacks on the router firmware.

Security SummaryAI

CVE-2026-1157 is a buffer overflow vulnerability affecting the Totolink LR350 router running firmware version 9.3.5u.6369_B20220309. The issue resides in the setWiFiEasyCfg function within the /cgi-bin/cstecgi.cgi file, where improper handling of the ssid argument triggers the overflow. Associated with CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-120 (Buffer Copy without Checking Size of Input), it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.

The vulnerability enables remote exploitation over the network with low complexity and no user interaction required. Attackers need low privileges (PR:L), such as those of an authenticated user, to manipulate the ssid argument and trigger the buffer overflow. Successful exploitation could result in high confidentiality, integrity, and availability impacts, potentially allowing arbitrary code execution, data compromise, or denial of service on the affected device.

Advisories and additional details are available through referenced sources, including a technical write-up at a Notion site detailing the exploit, multiple VulDB entries (ctiid.341751, id.341751, submit.735726), and the official Totolink website. Security practitioners should consult these for patch availability, firmware updates, or workarounds, as the exploit is publicly available and may be actively used.

The public availability of the exploit underscores the need for immediate firmware updates on affected Totolink LR350 devices.

Details

CWE(s): CWE-119 CWE-120

Affected Products

totolink

lr350 firmware

9.3.5u.6369_b20220309

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability is a buffer overflow in a public-facing web CGI interface (/cgi-bin/cstecgi.cgi) on a router, exploitable remotely with low privileges for arbitrary code execution, directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://lavender-bicycle-a5a.notion.site/TOTOLINK-LR350-setWiFiEasyCfg-2e453a41781f80b7b53cef33c6a782aa?source=copy_link
Exploit, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.341751
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.341751
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.735726
Third Party Advisory, VDB Entry · cna@vuldb.com
https://www.totolink.net/
Product · cna@vuldb.com