CVE-2026-4976

HighPublic PoC

Published: 27 March 2026

Published

27 March 2026

Modified

03 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0014 33.6th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability was found in Totolink LR350 9.3.5u.6369_B20220309. This vulnerability affects the function setWiFiGuestCfg of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument ssid results in buffer overflow. The attack can be launched remotely. The exploit has been made public…

and could be used.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the CVE by requiring timely remediation of the buffer overflow flaw through firmware patching or updates.

SI-10 Information Input Validation good match

prevent

Prevents exploitation by validating the ssid argument length and format in the setWiFiGuestCfg CGI function to avoid buffer overflow.

SI-16 Memory Protection good match

prevent

Implements memory safeguards like stack canaries, ASLR, and DEP to block unauthorized code execution from the buffer overflow.

Security SummaryAI

CVE-2026-4976 is a buffer overflow vulnerability (CWE-119, CWE-120) in the Totolink LR350 router firmware version 9.3.5u.6369_B20220309. The issue affects the setWiFiGuestCfg function in the /cgi-bin/cstecgi.cgi file, where manipulation of the ssid argument triggers the overflow. Published on 2026-03-27, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

An attacker with low privileges can exploit this remotely over the network with low complexity and no user interaction. Successful exploitation grants high impacts on confidentiality, integrity, and availability, potentially allowing full compromise of the affected device. A public exploit exists and could be used.

References include VulDB entries (ctiid.353863, id.353863, submit.778274) documenting the vulnerability, a Notion site with exploit details, and the Totolink vendor website (totolink.net). No specific patches or mitigation steps are detailed in the disclosure.

The exploit has been made public, increasing the risk of active exploitation against unpatched Totolink LR350 devices.

Details

CWE(s): CWE-119 CWE-120

Affected Products

totolink

lr350 firmware

9.3.5u.6369_b20220309

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1210 Exploitation of Remote Services Lateral Movement

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

attack.mitre.org →

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

Buffer overflow in router web CGI (/cgi-bin/cstecgi.cgi) exploitable remotely (AV:N/PR:L) for full device compromise (C/I/A:H), directly enables public-facing app exploit (T1190), remote service exploitation (T1210), and privilege escalation via exploitation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://lavender-bicycle-a5a.notion.site/TOTOLINK-LR350-setWiFiGuestCfg-32153a41781f8048a918c1c78e95064e?source=copy_link
Exploit, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.353863
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.353863
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.778274
Third Party Advisory, VDB Entry · cna@vuldb.com
https://www.totolink.net/
Product · cna@vuldb.com