CVE-2026-1158 – A remote buffer overflow vulnerability in Totol... (How to Fix)

Q: What is the severity of CVE-2026-1158?

CVE-2026-1158 has a CVSS score of 8.8 (HIGH). A remote buffer overflow vulnerability in Totolink LR350 routers allows attackers to execute arbitrary code by sending specially crafted POST requests to the setWizardCfg function. This affects Totolink LR350 routers running firmware version 9.3.5u.6369_B20220309. Attackers can exploit this without authentication to potentially take full control of affected devices.

📋 TL;DR

A remote buffer overflow vulnerability in Totolink LR350 routers allows attackers to execute arbitrary code by sending specially crafted POST requests to the setWizardCfg function. This affects Totolink LR350 routers running firmware version 9.3.5u.6369_B20220309. Attackers can exploit this without authentication to potentially take full control of affected devices.

💻 Affected Systems

Products:

Totolink LR350

Versions: 9.3.5u.6369_B20220309

Operating Systems: Embedded Linux

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerable CGI endpoint is typically accessible via web interface on port 80/443. Default configurations expose this to network access.

📦 What is this software?

Lr350 Firmware by Totolink

View all CVEs affecting Lr350 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete device compromise, creation of persistent backdoors, lateral movement to internal networks, and botnet recruitment.

🟠

Likely Case

Remote code execution allowing attackers to modify router settings, intercept network traffic, or use the device as a pivot point for further attacks.

🟢

If Mitigated

Limited impact if devices are behind firewalls with strict ingress filtering or if vulnerable interfaces are not internet-facing.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit details are available, making this easily weaponizable. No authentication required for exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.totolink.net/

Restart Required: Yes

Instructions:

1. Check Totolink website for firmware updates. 2. Download latest firmware for LR350. 3. Access router admin interface. 4. Navigate to firmware upgrade section. 5. Upload and apply new firmware. 6. Reboot router.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate Totolink LR350 routers from internet and restrict access to management interface

Access Control Lists

linux

Implement firewall rules to block external access to router web interface (ports 80, 443, 8080)

iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP
iptables -A INPUT -p tcp --dport 8080 -j DROP

🧯 If You Can't Patch

Replace vulnerable Totolink LR350 routers with patched or alternative devices
Implement strict network segmentation and monitor for exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check router firmware version via admin interface or using curl: curl -s http://router-ip/cgi-bin/cstecgi.cgi

Check Version:

curl -s http://router-ip/ | grep -i firmware || ssh admin@router-ip 'cat /etc/version'

Verify Fix Applied:

Verify firmware version is newer than 9.3.5u.6369_B20220309 and test if vulnerable endpoint responds to exploitation attempts

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /cgi-bin/cstecgi.cgi with setWizardCfg parameter
Large payloads in HTTP requests to router interface
Router configuration changes without authorized user activity

Network Indicators:

Multiple failed exploitation attempts to router CGI endpoints
Unusual outbound connections from router to unknown IPs
Traffic patterns suggesting router compromise

SIEM Query:

source="router-logs" AND (uri="/cgi-bin/cstecgi.cgi" AND method="POST" AND params="setWizardCfg")

📊 Metadata

CVE ID: CVE-2026-1158

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-119

EPSS Score: 0.14% exploit probability (34.2th percentile)

Published: January 19, 2026

Last Updated: January 29, 2026

🔗 References

https://lavender-bicycle-a5a.notion.site/TOTOLINK-LR350-setWizardCfg-2e453a41781f80ce89cfc1d25049e279?source=copy_link Exploit,Third Party Advisory
https://vuldb.com/?ctiid.341752 Permissions Required,VDB Entry
https://vuldb.com/?id.341752 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.735728 Third Party Advisory,VDB Entry
https://www.totolink.net/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-1158, you might also want to check these: