CVE-2026-1150 is a command injection vulnerability identified in the Totolink LR350 router firmware version 9.3.5u.6369_B20220309. The vulnerability resides in the setTracerouteCfg function of the /cgi-bin/cstecgi.cgi component, which handles POST requests. Specifically, the 'command' argument within this function is improperly sanitized, allowing an attacker to inject arbitrary shell commands. This flaw can be exploited remotely without requiring authentication or user interaction, as the POST request handler is accessible over the network. The vulnerability allows an attacker to execute commands with the privileges of the web server process, potentially leading to unauthorized access, device control, or disruption of network services. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no authentication required (AT:N), no user interaction (UI:N), and partial impacts on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). Although no official patches or updates have been released at the time of publication, public exploit code is available, increasing the likelihood of exploitation. The vulnerability affects a widely used consumer and small business router model, which may be deployed in various organizational environments. Due to the nature of the flaw, attackers could leverage it to pivot into internal networks or disrupt connectivity.

The impact of CVE-2026-1150 can be significant for organizations relying on Totolink LR350 routers. Successful exploitation allows remote attackers to execute arbitrary commands on the device, potentially leading to unauthorized configuration changes, interception or manipulation of network traffic, installation of persistent malware, or denial of service conditions. This could compromise the confidentiality of sensitive data traversing the network, integrity of device configurations, and availability of network services. Given that the router often serves as a gateway device, attackers could use this vulnerability as a foothold to launch further attacks against internal systems. The lack of authentication and user interaction requirements lowers the barrier for exploitation, increasing risk. Organizations with large deployments of this router model, especially those in critical infrastructure or sensitive sectors, face elevated risks of espionage, data breaches, or operational disruption.

1. Immediately isolate affected Totolink LR350 devices from untrusted networks to reduce exposure. 2. Monitor network traffic for suspicious POST requests targeting /cgi-bin/cstecgi.cgi, especially those containing unusual 'command' parameters. 3. Implement network-level access controls to restrict management interface access to trusted IP addresses only. 4. Disable remote management features if not required to minimize attack surface. 5. Employ intrusion detection/prevention systems (IDS/IPS) with signatures targeting this specific command injection pattern. 6. Regularly audit router configurations and logs for signs of compromise or unauthorized changes. 7. Engage with Totolink support channels to obtain firmware updates or patches once available and apply them promptly. 8. Consider replacing affected devices with models from vendors with more robust security track records if patches are delayed. 9. Educate network administrators about this vulnerability and enforce strict credential management to prevent lateral movement post-exploitation.