CVE-2026-1155 is a buffer overflow vulnerability identified in the Totolink LR350 router firmware version 9.3.5u.6369_B20220309. The vulnerability resides in the setWiFiEasyGuestCfg function of the /cgi-bin/cstecgi.cgi CGI script. Specifically, the 'ssid' parameter is not properly validated or bounds-checked, allowing an attacker to supply an oversized input that overflows the buffer. This overflow can corrupt adjacent memory, potentially enabling remote code execution with elevated privileges on the device. The attack vector is remote network access to the router's management interface, requiring no authentication or user interaction, which significantly lowers the barrier for exploitation. The CVSS 4.0 score of 8.7 reflects the critical nature of the vulnerability, with high impact on confidentiality, integrity, and availability. Although no active exploitation has been reported, the public availability of exploit code increases the likelihood of future attacks. The vulnerability affects a widely deployed consumer and small business router model, which may be used in European organizations for network access or guest Wi-Fi services. The lack of vendor-provided patches at the time of publication necessitates interim mitigations such as network segmentation and access restrictions. This vulnerability exemplifies the risks posed by insecure input handling in embedded device web interfaces and underscores the importance of timely firmware updates and network security controls.

The vulnerability allows remote attackers to execute arbitrary code on affected Totolink LR350 routers without authentication or user interaction, threatening the confidentiality, integrity, and availability of network infrastructure. Successful exploitation could lead to full device compromise, enabling attackers to intercept or manipulate network traffic, pivot into internal networks, or disrupt network services. For European organizations, this could result in data breaches, operational downtime, and exposure to further attacks. The impact is particularly severe for enterprises relying on these routers for guest Wi-Fi access or as part of their network perimeter, as compromised devices could serve as entry points for lateral movement. Additionally, critical infrastructure or government entities using these devices may face heightened risks due to potential espionage or sabotage. The public availability of exploit code increases the urgency to address this vulnerability before widespread exploitation occurs.

1. Immediately verify if your organization uses Totolink LR350 routers running firmware version 9.3.5u.6369_B20220309 and prioritize them for remediation. 2. Monitor Totolink vendor communications for official firmware updates or patches addressing CVE-2026-1155 and apply them promptly once available. 3. Until patches are released, restrict remote access to the router management interface by implementing network segmentation and firewall rules that limit access to trusted IP addresses only. 4. Disable or restrict the use of the vulnerable CGI interface (/cgi-bin/cstecgi.cgi) if possible, or disable guest Wi-Fi features that invoke the setWiFiEasyGuestCfg function. 5. Employ intrusion detection/prevention systems (IDS/IPS) with signatures or heuristics capable of detecting exploitation attempts targeting this buffer overflow. 6. Conduct regular network traffic monitoring and device integrity checks to identify anomalous behavior indicative of compromise. 7. Educate IT staff about the vulnerability and ensure incident response plans include steps for handling potential exploitation. 8. Consider replacing affected devices with models from vendors with more robust security update policies if timely patches are unavailable.