CVE-2026-7503
Published: 30 April 2026
Summary
CVE-2026-7503 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Code Projects (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the buffer overflow vulnerability in setWiFiMultipleConfig by applying vendor patches or firmware updates to eliminate the flaw.
Validates the length and content of the wepkey2 argument in cstecgi.cgi to prevent buffer overflows from crafted inputs.
Implements memory protections like stack canaries, ASLR, and DEP to block exploitation of the buffer overflow even if input validation fails.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a remote buffer overflow in a public-facing CGI endpoint (/cgi-bin/cstecgi.cgi) allowing authenticated low-privilege users to achieve arbitrary code execution, directly mapping to exploitation of public-facing applications.
NVD Description
A vulnerability was detected in code-projects for Plugin 4.1.2cu.5137. The impacted element is the function setWiFiMultipleConfig in the library /lib/cste_modules/wireless.so of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument wepkey2 results in buffer overflow. The attack can be launched remotely.…
more
The exploit is now public and may be used.
Deeper analysisAI
CVE-2026-7503 is a buffer overflow vulnerability affecting Plugin 4.1.2cu.5137, specifically in the setWiFiMultipleConfig function within the /lib/cste_modules/wireless.so library loaded by /cgi-bin/cstecgi.cgi. The issue arises from manipulation of the wepkey2 argument, classified under CWE-119 and CWE-120. It was published on 2026-04-30 and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
The vulnerability enables remote exploitation by an attacker with low privileges, such as an authenticated user, who can send crafted requests to the cstecgi.cgi endpoint. Successful exploitation of the buffer overflow could result in high-impact confidentiality, integrity, and availability violations, potentially allowing arbitrary code execution, data corruption, or denial of service on the affected device.
References include a public proof-of-concept exploit on GitHub targeting the TOTOLINK A800R device, VulDB entries detailing the vulnerability (vuln/360313), a submission page, and the vendor site code-projects.org. No specific patches or mitigation steps are detailed in the provided information. The exploit is publicly available, increasing the risk of real-world attacks.
Details
- CWE(s)