The vulnerability CVE-2026-1149 affects the Totolink LR350 router model specifically firmware version 9.3.5u.6369_B20220309. It resides in the setDiagnosisCfg function of the /cgi-bin/cstecgi.cgi component, which handles POST requests. The vulnerability arises from improper sanitization of the 'ip' argument, allowing an attacker to inject arbitrary commands that the system executes. This command injection can be triggered remotely without requiring authentication or user interaction, making it accessible to unauthenticated remote attackers. The CVSS 4.0 base score is 5.3 (medium), reflecting the network attack vector, low attack complexity, no privileges required, and no user interaction needed. The impact on confidentiality, integrity, and availability is limited but present, as the attacker can execute commands that may alter system behavior or extract information. No patches or exploit code are currently publicly available, but the exploit is known to be possible and may be weaponized. The vulnerability affects only the specified firmware version, and no other Totolink products or versions are indicated as vulnerable. The issue is critical for environments where these routers are exposed to untrusted networks, especially if used as perimeter devices or in critical infrastructure.

For European organizations, the vulnerability poses a moderate risk primarily to those deploying Totolink LR350 routers with the affected firmware. Successful exploitation could allow attackers to execute arbitrary commands on the device, potentially leading to unauthorized access to network segments, interception or manipulation of traffic, or disruption of network services. This could compromise the confidentiality and integrity of internal communications and degrade availability if the device is taken offline or misconfigured. Organizations relying on these routers for critical connectivity or in sensitive environments such as SMEs, educational institutions, or small branch offices may face increased exposure. The lack of authentication requirement increases the attack surface, especially for devices accessible from the internet or poorly segmented internal networks. However, the limited scope of affected firmware and absence of known active exploits reduce immediate widespread impact. Still, the threat warrants proactive mitigation to prevent lateral movement or foothold establishment by attackers targeting European networks.

1. Immediately inventory all Totolink LR350 devices and verify firmware versions; prioritize those running 9.3.5u.6369_B20220309. 2. Apply vendor-supplied patches or firmware updates as soon as they become available. If no patch is available, consider temporary device replacement or firmware rollback to a non-vulnerable version. 3. Restrict access to router management interfaces by implementing network segmentation and firewall rules to limit access to trusted administrators only. 4. Disable remote management features or restrict them to secure VPN connections. 5. Monitor network traffic for unusual POST requests to /cgi-bin/cstecgi.cgi and anomalous command execution patterns. 6. Employ intrusion detection/prevention systems (IDS/IPS) with signatures targeting command injection attempts on Totolink devices. 7. Educate network administrators on the risks and signs of exploitation to enable rapid incident response. 8. Regularly audit router configurations and logs to detect unauthorized changes or suspicious activity.