CVE-2026-1155
Published: 19 January 2026
Summary
CVE-2026-1155 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Totolink Lr350 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 36.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely installation of vendor firmware patches to remediate the specific buffer overflow vulnerability in setWiFiEasyGuestCfg.
Mandates validation and bounds checking of the 'ssid' argument to directly prevent the buffer overflow triggered by oversized input.
Deploys memory protection features like stack canaries, ASLR, and non-executable stacks to block exploitation of the buffer overflow for code execution.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a remotely exploitable buffer overflow in a router's public-facing web CGI interface (/cgi-bin/cstecgi.cgi), directly enabling T1190: Exploit Public-Facing Application.
NVD Description
A vulnerability was found in Totolink LR350 9.3.5u.6369_B20220309. Affected by this vulnerability is the function setWiFiEasyGuestCfg of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument ssid results in buffer overflow. The attack may be performed from remote. The exploit has…
more
been made public and could be used.
Deeper analysisAI
CVE-2026-1155 is a buffer overflow vulnerability affecting the Totolink LR350 router running firmware version 9.3.5u.6369_B20220309. The issue resides in the setWiFiEasyGuestCfg function within the /cgi-bin/cstecgi.cgi file, where manipulation of the 'ssid' argument triggers the overflow. Associated with CWE-119 and CWE-120, it has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for remote exploitation.
Attackers with low privileges (PR:L) can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation grants high impacts on confidentiality, integrity, and availability, potentially allowing arbitrary code execution, data compromise, or device disruption. A public exploit is available, increasing the risk of widespread abuse.
Advisories from VulDB (including ctiid.341749 and id.341749) document the vulnerability and recent submissions, while the vendor's site at totolink.net may provide patch information or updates. Security practitioners should reference these sources for mitigation guidance, such as firmware upgrades, and apply network segmentation to limit exposure.
The public disclosure of an exploit on a Notion page heightens the urgency for affected devices, as real-world exploitation is feasible given the remote nature and privilege requirements.
Details
- CWE(s)