CVE-2026-1149 is a command injection vulnerability discovered in the Totolink LR350 router firmware version 9.3.5u.6369_B20220309. The flaw resides in the setDiagnosisCfg function within the /cgi-bin/cstecgi.cgi POST request handler. Specifically, the vulnerability arises from improper sanitization of the 'ip' parameter, which an attacker can manipulate to inject arbitrary shell commands. Because the vulnerable endpoint is accessible remotely and does not require authentication or user interaction, an attacker can exploit this vulnerability over the network without prior access. Successful exploitation allows execution of arbitrary commands with the privileges of the web server process, which often runs with elevated rights on embedded devices like routers. This can lead to full device compromise, enabling attackers to alter configurations, intercept or redirect traffic, or pivot into internal networks. The CVSS v4.0 score is 5.3 (medium severity), reflecting the ease of exploitation but limited scope due to the specific affected firmware version. No patches or official fixes are currently linked, and while no active exploits have been observed in the wild, a public exploit is available, increasing the risk of future attacks. The vulnerability highlights the importance of input validation in embedded device web interfaces and the risks posed by exposed management endpoints.

For European organizations, this vulnerability poses significant risks, especially for those relying on Totolink LR350 routers in their network infrastructure. Exploitation could lead to unauthorized control over network gateways, allowing attackers to intercept sensitive data, disrupt network availability, or launch further attacks within the internal network. This is particularly critical for organizations handling sensitive personal data under GDPR, as a breach could result in regulatory penalties and reputational damage. Industrial, governmental, and critical infrastructure sectors using these devices may face operational disruptions or espionage risks. The remote, unauthenticated nature of the exploit increases the likelihood of automated scanning and exploitation attempts, potentially impacting a broad range of organizations. Additionally, compromised routers could be recruited into botnets, amplifying threats to wider internet stability and security.

Given the absence of an official patch, European organizations should immediately implement compensating controls. These include restricting remote access to the router’s management interface via firewall rules or VPNs, disabling unnecessary remote management features, and isolating affected devices on segmented networks to limit lateral movement. Network monitoring should be enhanced to detect unusual command execution patterns or unexpected outbound connections from routers. Organizations should also consider replacing vulnerable devices with updated models or firmware versions once available. Regularly auditing device configurations and applying vendor security advisories promptly is critical. Additionally, deploying intrusion detection/prevention systems (IDS/IPS) with signatures targeting this vulnerability can help detect and block exploitation attempts. Finally, educating IT staff about this vulnerability and ensuring incident response plans include steps for compromised network devices will improve preparedness.