CVE-2026-1157
Published: 19 January 2026
Summary
CVE-2026-1157 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Totolink Lr350 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 36.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely firmware updates directly remediate the buffer overflow in setWiFiEasyCfg by patching the improper ssid argument handling.
Validates the ssid input to the cgi-bin/cstecgi.cgi script, preventing buffer overflows from oversized or malformed arguments.
Mitigates buffer overflow exploitation through memory protections like stack canaries and non-executable stacks on the router firmware.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a buffer overflow in a public-facing web CGI interface (/cgi-bin/cstecgi.cgi) on a router, exploitable remotely with low privileges for arbitrary code execution, directly mapping to T1190: Exploit Public-Facing Application.
NVD Description
A vulnerability was identified in Totolink LR350 9.3.5u.6369_B20220309. This affects the function setWiFiEasyCfg of the file /cgi-bin/cstecgi.cgi. Such manipulation of the argument ssid leads to buffer overflow. It is possible to launch the attack remotely. The exploit is publicly available…
more
and might be used.
Deeper analysisAI
CVE-2026-1157 is a buffer overflow vulnerability affecting the Totolink LR350 router running firmware version 9.3.5u.6369_B20220309. The issue resides in the setWiFiEasyCfg function within the /cgi-bin/cstecgi.cgi file, where improper handling of the ssid argument triggers the overflow. Associated with CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-120 (Buffer Copy without Checking Size of Input), it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.
The vulnerability enables remote exploitation over the network with low complexity and no user interaction required. Attackers need low privileges (PR:L), such as those of an authenticated user, to manipulate the ssid argument and trigger the buffer overflow. Successful exploitation could result in high confidentiality, integrity, and availability impacts, potentially allowing arbitrary code execution, data compromise, or denial of service on the affected device.
Advisories and additional details are available through referenced sources, including a technical write-up at a Notion site detailing the exploit, multiple VulDB entries (ctiid.341751, id.341751, submit.735726), and the official Totolink website. Security practitioners should consult these for patch availability, firmware updates, or workarounds, as the exploit is publicly available and may be actively used.
The public availability of the exploit underscores the need for immediate firmware updates on affected Totolink LR350 devices.
Details
- CWE(s)