CVE-2026-1149 is a command injection vulnerability discovered in the Totolink LR350 router firmware version 9.3.5u.6369_B20220309. The vulnerability resides in the setDiagnosisCfg function within the /cgi-bin/cstecgi.cgi component, which handles POST requests. Specifically, the 'ip' parameter is improperly sanitized, allowing an attacker to inject arbitrary OS commands. This flaw can be exploited remotely without requiring authentication or user interaction, making it accessible to unauthenticated attackers over the network. The vulnerability's CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:L, which is low but not none), no user interaction (UI:N), and low impact on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). Despite the medium severity rating (5.3), the availability of public exploits increases the likelihood of exploitation. Successful exploitation could allow attackers to execute arbitrary commands on the device, potentially leading to full device compromise, unauthorized network access, or pivoting attacks within the affected network. The lack of patches or official mitigation guidance at the time of publication increases the urgency for organizations to implement compensating controls. Given the device's role as a network router, exploitation could disrupt network traffic, compromise data confidentiality, or enable persistent footholds for attackers.

The impact of CVE-2026-1149 on organizations worldwide can be significant, especially for those relying on Totolink LR350 routers in their network infrastructure. Exploitation allows remote attackers to execute arbitrary commands on the device, potentially leading to full device compromise. This can result in unauthorized access to internal networks, interception or manipulation of network traffic, and disruption of network availability. Attackers could also use compromised devices as a foothold to launch further attacks against internal systems or exfiltrate sensitive data. The medium CVSS score reflects moderate impact on confidentiality, integrity, and availability, but the ease of remote exploitation without authentication raises the risk profile. Organizations with large deployments of this router model or those in critical infrastructure sectors may face increased operational risks, including service outages and data breaches. The lack of patches or mitigations at the time of disclosure further exacerbates potential impacts.

To mitigate CVE-2026-1149, organizations should first verify if their Totolink LR350 devices run the affected firmware version 9.3.5u.6369_B20220309 and prioritize upgrading to a patched firmware once available from the vendor. Until patches are released, network administrators should restrict access to the router's management interfaces, especially blocking external WAN access to the /cgi-bin/cstecgi.cgi endpoint via firewall rules or access control lists. Implement network segmentation to isolate affected devices from critical internal networks to limit potential lateral movement. Monitor network traffic for unusual POST requests targeting the vulnerable endpoint and deploy intrusion detection/prevention systems with signatures for this exploit if available. Disable or restrict diagnostic features that use the vulnerable setDiagnosisCfg function if possible. Regularly audit device configurations and logs for signs of compromise. Additionally, consider replacing affected devices with models from vendors with timely security update practices if long-term patching is uncertain.