CVE-2026-1156
Published: 19 January 2026
Summary
CVE-2026-1156 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Totolink Lr350 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 36.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the buffer overflow by validating the 'ssid' argument for correctness, size, and context before processing in the setWiFiBasicCfg function.
Implements memory protection mechanisms like stack guards or address space randomization to prevent exploitation of the buffer overflow even if invalid input reaches the vulnerable CGI endpoint.
Requires timely patching of the specific buffer overflow flaw in Totolink LR350 firmware version 9.3.5u.6369_B20220309 to eliminate the vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Buffer overflow in the router's web CGI interface (/cgi-bin/cstecgi.cgi) allows remote low-privileged attackers to achieve arbitrary code execution, directly enabling exploitation of a public-facing application.
NVD Description
A vulnerability was determined in Totolink LR350 9.3.5u.6369_B20220309. Affected by this issue is the function setWiFiBasicCfg of the file /cgi-bin/cstecgi.cgi. This manipulation of the argument ssid causes buffer overflow. It is possible to initiate the attack remotely. The exploit has…
more
been publicly disclosed and may be utilized.
Deeper analysisAI
CVE-2026-1156 is a buffer overflow vulnerability affecting the Totolink LR350 router running firmware version 9.3.5u.6369_B20220309. The issue resides in the setWiFiBasicCfg function within the /cgi-bin/cstecgi.cgi file, where improper handling of the 'ssid' argument leads to the overflow. Classified under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-120 (Buffer Copy without Checking Size of Input), it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.
The vulnerability can be exploited remotely by attackers who possess low privileges, such as authenticated users on the network. Exploitation involves manipulating the 'ssid' parameter during a request to the affected CGI endpoint, triggering the buffer overflow. Successful exploitation grants high confidentiality, integrity, and availability impacts, potentially allowing arbitrary code execution, data compromise, or denial of service on the targeted device.
Advisories from VulDB (e.g., ctiid.341750, id.341750) document the vulnerability and reference a publicly disclosed exploit, including a detailed write-up on a Notion site. The Totolink vendor website (totolink.net) provides general support resources, but specific patch details for this firmware version are not outlined in the available references; security practitioners should verify firmware updates directly from the vendor.
Details
- CWE(s)