Cyber Resilience

CVE-2026-1328

HighPublic PoC

Published: 22 January 2026

Published
22 January 2026
Modified
29 January 2026
KEV Added
Patch
CVSS Score v4 7.4 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0077 50.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-1328 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Totolink Nr1800X Firmware. Its CVSS base score is 7.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 49.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2026-1328 is a buffer overflow vulnerability affecting the Totolink NR1800X router running firmware version 9.1.0u.6279_B20210910. The issue resides in the setWizardCfg function within the /cgi-bin/cstecgi.cgi file, part of the POST Request Handler component. It is triggered by manipulating the 'ssid' argument in a POST request, leading to a buffer overflow. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-120 (Buffer Copy without Checking Size of Input).

Attackers with low privileges, such as authenticated users, can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation grants high-impact access to confidentiality, integrity, and availability, potentially allowing arbitrary code execution on the device.

Advisories and details are available via VulDB entries (vuldb.com/?ctiid.342304, vuldb.com/?id.342304, vuldb.com/?submit.735792) and a public exploit write-up at lavender-bicycle-a5a.notion.site/TOTOLINK-NR1800X-setWizardCfg-2e453a41781f80568a54c9368082fbe9. The Totolink vendor site (totolink.net) may offer firmware updates or further guidance, though specific patch details are not detailed in the initial disclosure. The exploit is public and may be used.

Notable context includes the vulnerability's publication on 2026-01-22, with a publicly available exploit increasing the risk of real-world abuse against unpatched Totolink NR1800X devices.

EU & UK References

Vulnerability details

A vulnerability was detected in Totolink NR1800X 9.1.0u.6279_B20210910. Impacted is the function setWizardCfg of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. Performing a manipulation of the argument ssid results in buffer overflow. The attack may be initiated remotely.…

more

The exploit is now public and may be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Buffer overflow in public-facing router CGI handler (setWizardCfg) directly enables remote exploitation of an internet-facing application for arbitrary code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-5030Same product: Totolink Nr1800X
CVE-2026-1326Same product: Totolink Nr1800X
CVE-2026-1327Same product: Totolink Nr1800X
CVE-2025-9780Same vendor: Totolink
CVE-2025-7837Same vendor: Totolink
CVE-2025-9303Same vendor: Totolink
CVE-2025-9783Same vendor: Totolink
CVE-2025-12239Same vendor: Totolink
CVE-2025-7758Same vendor: Totolink
CVE-2025-7460Same vendor: Totolink

Affected Assets

totolink
nr1800x firmware
9.1.0u.6279_b20210910

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 directly prevents buffer overflows by validating the size and format of the 'ssid' argument in POST requests to the setWizardCfg function.

prevent

SI-2 ensures timely patching of the buffer overflow vulnerability in the Totolink NR1800X firmware's cstecgi.cgi handler.

prevent

SI-16 deploys memory protections like ASLR and stack canaries to block exploitation of the buffer overflow even if input validation fails.

References