CVE-2026-1328
Published: 22 January 2026
Summary
CVE-2026-1328 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Totolink Nr1800X Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 directly prevents buffer overflows by validating the size and format of the 'ssid' argument in POST requests to the setWizardCfg function.
SI-2 ensures timely patching of the buffer overflow vulnerability in the Totolink NR1800X firmware's cstecgi.cgi handler.
SI-16 deploys memory protections like ASLR and stack canaries to block exploitation of the buffer overflow even if input validation fails.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Buffer overflow in public-facing router CGI handler (setWizardCfg) directly enables remote exploitation of an internet-facing application for arbitrary code execution.
NVD Description
A vulnerability was detected in Totolink NR1800X 9.1.0u.6279_B20210910. Impacted is the function setWizardCfg of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. Performing a manipulation of the argument ssid results in buffer overflow. The attack may be initiated remotely.…
more
The exploit is now public and may be used.
Deeper analysisAI
CVE-2026-1328 is a buffer overflow vulnerability affecting the Totolink NR1800X router running firmware version 9.1.0u.6279_B20210910. The issue resides in the setWizardCfg function within the /cgi-bin/cstecgi.cgi file, part of the POST Request Handler component. It is triggered by manipulating the 'ssid' argument in a POST request, leading to a buffer overflow. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-120 (Buffer Copy without Checking Size of Input).
Attackers with low privileges, such as authenticated users, can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation grants high-impact access to confidentiality, integrity, and availability, potentially allowing arbitrary code execution on the device.
Advisories and details are available via VulDB entries (vuldb.com/?ctiid.342304, vuldb.com/?id.342304, vuldb.com/?submit.735792) and a public exploit write-up at lavender-bicycle-a5a.notion.site/TOTOLINK-NR1800X-setWizardCfg-2e453a41781f80568a54c9368082fbe9. The Totolink vendor site (totolink.net) may offer firmware updates or further guidance, though specific patch details are not detailed in the initial disclosure. The exploit is public and may be used.
Notable context includes the vulnerability's publication on 2026-01-22, with a publicly available exploit increasing the risk of real-world abuse against unpatched Totolink NR1800X devices.
Details
- CWE(s)