CVE-2026-1150 is a command injection vulnerability identified in the Totolink LR350 router firmware version 9.3.5u.6369_B20220309. The vulnerability resides in the setTracerouteCfg function of the /cgi-bin/cstecgi.cgi component, which handles POST requests. Specifically, the 'command' argument passed to this function is not properly sanitized, allowing an attacker to inject arbitrary system commands. This flaw can be exploited remotely without requiring authentication or user interaction, making it a significant risk for exposed devices. The vulnerability has a CVSS 4.0 base score of 5.3, indicating medium severity, with attack vector network (AV:N), low attack complexity (AC:L), no privileges required (PR:L), no user interaction (UI:N), and partial impacts on confidentiality, integrity, and availability. Although the exploit code has been publicly released, there are no confirmed reports of active exploitation in the wild yet. The vulnerability could allow attackers to execute arbitrary commands on the router, potentially leading to unauthorized access, data interception, or disruption of network services. The affected product, Totolink LR350, is a consumer and small business router, which may be deployed in various organizational environments. Due to the nature of the vulnerability, attackers could leverage it to pivot into internal networks or disrupt network operations. The lack of vendor patches at the time of disclosure increases the urgency for organizations to implement interim protective measures.

For European organizations, this vulnerability poses a risk of unauthorized remote code execution on affected Totolink LR350 routers, potentially compromising network confidentiality, integrity, and availability. Attackers exploiting this flaw could intercept or manipulate network traffic, disrupt connectivity, or use the compromised device as a foothold for further attacks within the corporate network. Small and medium enterprises using Totolink LR350 devices as primary network gateways are particularly vulnerable, as these devices often lack advanced security controls. The public availability of exploit code increases the likelihood of opportunistic attacks, especially against poorly secured or internet-facing routers. Disruption of network services could impact business operations, data privacy compliance, and cause reputational damage. Additionally, compromised routers could be enlisted in botnets or used to launch attacks against other targets, amplifying the threat landscape. The medium severity rating suggests that while the impact is significant, exploitation requires some conditions such as network access and limited privileges, which may reduce the overall risk in well-segmented environments.

Organizations should immediately inventory their network infrastructure to identify any Totolink LR350 devices running the vulnerable firmware version 9.3.5u.6369_B20220309. Until an official patch is released, restrict remote access to router management interfaces by implementing firewall rules that limit access to trusted IP addresses or internal networks only. Disable or restrict the traceroute functionality if possible, or monitor for unusual traceroute-related POST requests targeting /cgi-bin/cstecgi.cgi. Employ network segmentation to isolate vulnerable devices from critical systems and sensitive data. Regularly monitor network traffic and device logs for signs of command injection attempts or anomalous behavior. Consider deploying intrusion detection/prevention systems with signatures tailored to detect exploitation attempts targeting this vulnerability. Once the vendor releases a patch, prioritize timely firmware updates to remediate the vulnerability. Additionally, educate network administrators about the risks and signs of exploitation to enhance detection and response capabilities.