CVE-2026-1155 is a remote buffer overflow vulnerability identified in the Totolink LR350 router firmware version 9.3.5u.6369_B20220309. The vulnerability resides in the setWiFiEasyGuestCfg function of the /cgi-bin/cstecgi.cgi CGI script, which processes the ssid parameter. Due to insufficient input validation or improper bounds checking, an attacker can supply a specially crafted ssid argument that overflows the buffer, potentially overwriting adjacent memory. This can lead to arbitrary code execution, allowing an attacker to gain control over the device remotely without requiring authentication or user interaction. The vulnerability has a CVSS 4.0 base score of 8.7, indicating high severity, with an attack vector of network (remote), low attack complexity, no privileges required, and no user interaction needed. The impact metrics indicate high confidentiality, integrity, and availability impacts, meaning the attacker could exfiltrate sensitive data, modify device configurations, or disrupt network services. While no exploits are currently reported in the wild, a public exploit is available, increasing the likelihood of exploitation. The affected product is a widely used consumer and small business router, making this vulnerability relevant for many organizations relying on Totolink LR350 devices for network connectivity.

The vulnerability allows remote attackers to execute arbitrary code on affected Totolink LR350 routers, potentially leading to full device compromise. This can result in unauthorized access to internal networks, interception or manipulation of network traffic, disruption of network availability, and persistent backdoors for further attacks. Organizations using these routers may face data breaches, network outages, and loss of control over critical network infrastructure. Given the router’s role as a gateway device, exploitation could also facilitate lateral movement into corporate networks or home environments. The absence of required authentication and user interaction lowers the barrier for attackers, increasing the risk of widespread exploitation. The public availability of an exploit further elevates the threat, especially in environments where patching is delayed or unsupported.

1. Immediately update the Totolink LR350 firmware to a version that addresses CVE-2026-1155 once released by the vendor. 2. If no patch is available, restrict remote access to the router’s management interface by disabling remote administration or limiting access to trusted IP addresses. 3. Implement network segmentation to isolate vulnerable devices from critical assets. 4. Monitor network traffic for unusual activity targeting the /cgi-bin/cstecgi.cgi endpoint or suspicious attempts to manipulate the ssid parameter. 5. Employ intrusion detection/prevention systems (IDS/IPS) with signatures for this vulnerability or exploit patterns. 6. Regularly audit and inventory network devices to identify and prioritize vulnerable Totolink LR350 units for remediation. 7. Educate network administrators about the risk and signs of exploitation to enable rapid response. 8. Consider deploying compensating controls such as web application firewalls (WAF) to block malicious payloads targeting the vulnerable CGI script.