CVE-2026-1150 is a command injection vulnerability discovered in the Totolink LR350 router firmware version 9.3.5u.6369_B20220309. The vulnerability resides in the setTracerouteCfg function of the /cgi-bin/cstecgi.cgi POST request handler. Specifically, the 'command' parameter is insufficiently sanitized, allowing an attacker to inject arbitrary system commands. This flaw can be exploited remotely over the network without requiring authentication or user interaction, increasing the attack surface significantly. The vulnerability has a CVSS 4.0 base score of 5.3, indicating a medium severity level, with network attack vector, low complexity, no privileges required, and no user interaction needed. The impact includes potential full system compromise, enabling attackers to execute arbitrary commands, disrupt device functionality, exfiltrate sensitive information, or pivot into internal networks. Although no known exploits in the wild have been reported, the public release of exploit code increases the risk of future attacks. The affected product, Totolink LR350, is a consumer and small business router, which may be deployed in various organizational environments. The lack of available patches at the time of disclosure necessitates immediate mitigation efforts to reduce exposure.

For European organizations, this vulnerability poses a significant risk to network security and operational continuity. Exploitation could lead to unauthorized control over affected routers, enabling attackers to intercept or manipulate network traffic, launch further attacks within internal networks, or cause denial of service conditions. Confidentiality may be compromised through data interception or exfiltration, integrity may be undermined by unauthorized configuration changes or command execution, and availability could be impacted by device disruption. Organizations relying on Totolink LR350 devices for critical network functions, especially in sectors such as SMEs, education, or remote office environments, may face increased exposure. The medium severity rating reflects the balance between ease of exploitation and impact; however, the absence of authentication and user interaction requirements elevates the threat level. European entities with limited patch management capabilities or those unaware of this vulnerability are particularly vulnerable.

1. Immediately identify and inventory all Totolink LR350 devices running firmware version 9.3.5u.6369_B20220309 within the network. 2. Monitor Totolink's official channels for firmware updates or patches addressing CVE-2026-1150 and apply them promptly upon release. 3. Until patches are available, restrict access to the router's management interfaces by disabling remote management and limiting access to trusted internal IP addresses only. 4. Implement network segmentation to isolate vulnerable devices from critical network segments and sensitive data. 5. Deploy intrusion detection/prevention systems (IDS/IPS) with signatures or heuristics capable of detecting command injection attempts targeting /cgi-bin/cstecgi.cgi endpoints. 6. Conduct regular log analysis on affected devices to identify suspicious POST requests containing unusual 'command' parameters. 7. Educate IT staff about this vulnerability to enhance monitoring and incident response readiness. 8. Consider replacing affected devices with alternative routers from vendors with robust security update practices if patching is delayed or unavailable.