Cyber Posture

CVE-2026-7749

High

Published: 04 May 2026

Published
04 May 2026
Modified
04 May 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0008 22.6th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

A security vulnerability has been detected in Totolink N300RH 3.2.4-B20220812. This affects the function setWanConfig of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. The manipulation of the argument priDns leads to buffer overflow. The attack may be initiated…

more

remotely. The exploit has been disclosed publicly and may be used.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly validates the priDns argument in POST requests to prevent buffer overflow exploitation in the setWanConfig function.

SI-2 Flaw Remediation good match
prevent

Requires timely remediation of the disclosed buffer overflow flaw through firmware patching for Totolink N300RH routers.

SI-16 Memory Protection partial match
prevent

Implements memory protections like stack guards or ASLR to mitigate successful buffer overflow leading to arbitrary code execution.

Security SummaryAI

CVE-2026-7749 is a buffer overflow vulnerability (CWE-119, CWE-120) affecting Totolink N300RH routers running firmware version 3.2.4-B20220812. The flaw resides in the setWanConfig function within the /cgi-bin/cstecgi.cgi file, part of the POST Request Handler component. It is triggered by manipulating the priDns argument in a POST request, as disclosed on 2026-05-04.

The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity. An attacker with low privileges can exploit it remotely over the network with low complexity and no user interaction. Successful exploitation enables high-impact compromise of confidentiality, integrity, and availability, such as arbitrary code execution or system crashes.

Advisories and additional details are documented in references including VulDB entries (vuldb.com/vuln/360924, vuldb.com/vuln/360924/cti, vuldb.com/submit/807203), a public exploit disclosure at lavender-bicycle-a5a.notion.site/TOTOLINK-N300RH-setWanConfig-34553a41781f80ed8500d9b8d54074f2, and the vendor site at totolink.net. The exploit has been publicly disclosed and may be used.

Details

CWE(s)
CWE-119CWE-120

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

Buffer overflow in public-facing CGI handler (setWanConfig/priDns) on network device web interface enables remote authenticated exploitation for arbitrary code execution and full system compromise, directly mapping to T1190 (public app) and T1068 (priv esc from low-priv account).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

References