CVE-2026-1156 – A buffer overflow vulnerability in Totolink LR3... (How to Fix)

Q: What is the severity of CVE-2026-1156?

CVE-2026-1156 has a CVSS score of 8.8 (HIGH). A buffer overflow vulnerability in Totolink LR350 routers allows remote attackers to execute arbitrary code by manipulating the ssid parameter in the setWiFiBasicCfg function. This affects Totolink LR350 routers running firmware version 9.3.5u.6369_B20220309. Attackers can exploit this without authentication to potentially take full control of affected devices.

📋 TL;DR

A buffer overflow vulnerability in Totolink LR350 routers allows remote attackers to execute arbitrary code by manipulating the ssid parameter in the setWiFiBasicCfg function. This affects Totolink LR350 routers running firmware version 9.3.5u.6369_B20220309. Attackers can exploit this without authentication to potentially take full control of affected devices.

💻 Affected Systems

Products:

Totolink LR350

Versions: 9.3.5u.6369_B20220309

Operating Systems: Embedded Linux (router firmware)

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the web management interface accessible via HTTP/HTTPS. The vulnerable endpoint is /cgi-bin/cstecgi.cgi with the setWiFiBasicCfg function.

📦 What is this software?

Lr350 Firmware by Totolink

View all CVEs affecting Lr350 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete device compromise, creation of persistent backdoors, network pivoting, and data exfiltration.

🟠

Likely Case

Device takeover allowing attackers to modify router settings, intercept network traffic, or use the device as part of a botnet.

🟢

If Mitigated

Limited impact if devices are behind firewalls with strict ingress filtering and network segmentation.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable without authentication and affects internet-facing routers.

🏢 Internal Only: MEDIUM - Internal devices could still be exploited by attackers who gain internal network access.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit details are available in the disclosed references. The vulnerability requires sending specially crafted HTTP requests to the vulnerable endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.totolink.net/

Restart Required: Yes

Instructions:

1. Check Totolink website for firmware updates. 2. Download latest firmware for LR350. 3. Access router admin interface. 4. Navigate to firmware upgrade section. 5. Upload and apply new firmware. 6. Reboot router.

🔧 Temporary Workarounds

Network Access Control

linux

Restrict access to router management interface using firewall rules.

iptables -A INPUT -p tcp --dport 80 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

Disable Remote Management

all

Turn off remote administration features in router settings.

🧯 If You Can't Patch

Isolate affected routers in separate VLAN with strict network segmentation
Implement network monitoring and intrusion detection for exploit attempts

🔍 How to Verify

Check if Vulnerable:

Check router firmware version via admin interface or using curl: curl -k http://ROUTER_IP/cgi-bin/cstecgi.cgi

Check Version:

curl -k http://ROUTER_IP/cgi-bin/cstecgi.cgi | grep -i version

Verify Fix Applied:

Verify firmware version has been updated to a version later than 9.3.5u.6369_B20220309

📡 Detection & Monitoring

Log Indicators:

Unusual HTTP POST requests to /cgi-bin/cstecgi.cgi with setWiFiBasicCfg function
Large ssid parameter values in HTTP requests
Router crash or reboot logs

Network Indicators:

HTTP requests with abnormally long ssid parameters
Multiple failed exploit attempts from single source

SIEM Query:

source="router_logs" AND (uri="/cgi-bin/cstecgi.cgi" AND method="POST" AND params CONTAINS "setWiFiBasicCfg")

📊 Metadata

CVE ID: CVE-2026-1156

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-119

EPSS Score: 0.14% exploit probability (34.2th percentile)

Published: January 19, 2026

Last Updated: January 29, 2026

🔗 References

https://lavender-bicycle-a5a.notion.site/TOTOLINK-LR350-setWiFiBasicCfg-2e453a41781f80a2ad43e85bf5d46659?source=copy_link Exploit,Third Party Advisory
https://vuldb.com/?ctiid.341750 Permissions Required,VDB Entry
https://vuldb.com/?id.341750 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.735722 Third Party Advisory,VDB Entry
https://www.totolink.net/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-1156, you might also want to check these: