CVE-2026-4976

HighPublic PoC

Published: 27 March 2026

Published

27 March 2026

Modified

03 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0014 33.6th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-4976 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Totolink Lr350 Firmware. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the CVE by requiring timely remediation of the buffer overflow flaw through firmware patching or updates.

SI-10 Information Input Validation good match

prevent

Prevents exploitation by validating the ssid argument length and format in the setWiFiGuestCfg CGI function to avoid buffer overflow.

SI-16 Memory Protection good match

prevent

Implements memory safeguards like stack canaries, ASLR, and DEP to block unauthorized code execution from the buffer overflow.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1210 Exploitation of Remote Services Lateral Movement

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

attack.mitre.org →

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

Buffer overflow in router web CGI (/cgi-bin/cstecgi.cgi) exploitable remotely (AV:N/PR:L) for full device compromise (C/I/A:H), directly enables public-facing app exploit (T1190), remote service exploitation (T1210), and privilege escalation via exploitation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

A vulnerability was found in Totolink LR350 9.3.5u.6369_B20220309. This vulnerability affects the function setWiFiGuestCfg of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument ssid results in buffer overflow. The attack can be launched remotely. The exploit has been made public…

and could be used.

Deeper analysisAI

CVE-2026-4976 is a buffer overflow vulnerability (CWE-119, CWE-120) in the Totolink LR350 router firmware version 9.3.5u.6369_B20220309. The issue affects the setWiFiGuestCfg function in the /cgi-bin/cstecgi.cgi file, where manipulation of the ssid argument triggers the overflow. Published on 2026-03-27, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

An attacker with low privileges can exploit this remotely over the network with low complexity and no user interaction. Successful exploitation grants high impacts on confidentiality, integrity, and availability, potentially allowing full compromise of the affected device. A public exploit exists and could be used.

References include VulDB entries (ctiid.353863, id.353863, submit.778274) documenting the vulnerability, a Notion site with exploit details, and the Totolink vendor website (totolink.net). No specific patches or mitigation steps are detailed in the disclosure.

The exploit has been made public, increasing the risk of active exploitation against unpatched Totolink LR350 devices.

Details

CWE(s): CWE-119 CWE-120

Affected Products

totolink

lr350 firmware

9.3.5u.6369_b20220309

CVEs Like This One

CVE-2026-1158Same product: Totolink Lr350

CVE-2026-1157Same product: Totolink Lr350

CVE-2026-1155Same product: Totolink Lr350

CVE-2026-1156Same product: Totolink Lr350

CVE-2026-1150Same product: Totolink Lr350

CVE-2026-1149Same product: Totolink Lr350

CVE-2025-7912Same vendor: Totolink

CVE-2025-12240Same vendor: Totolink

CVE-2026-1686Same vendor: Totolink

CVE-2025-8170Same vendor: Totolink

References

https://lavender-bicycle-a5a.notion.site/TOTOLINK-LR350-setWiFiGuestCfg-32153a41781f8048a918c1c78e95064e?source=copy_link
Exploit, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.353863
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.353863
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.778274
Third Party Advisory, VDB Entry · cna@vuldb.com
https://www.totolink.net/
Product · cna@vuldb.com