What is CVE-2026-1156?

A high-severity buffer overflow vulnerability in Totolink LR350 firmware allows remote exploitation. Organizations should prioritize patching to mitigate risks associated with this vulnerability.

What is the severity of CVE-2026-1156?

CVE-2026-1156 has a severity rating of HIGH with a CVSS base score of 7.4.

CVE-2026-1156 | High Vulnerability in Totolink LR350 Firmware

A vulnerability was determined in Totolink LR350 9.3.5u.6369_B20220309. Affected by this issue is the function setWiFiBasicCfg of the file /cgi-bin/cstecgi.cgi. This manipulation of the argument ssid causes buffer overflow. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized.

The CVSS score for this vulnerability is 7.4, categorized as high severity. This level of severity indicates significant potential impact on confidentiality, integrity, and availability. Organizations should prioritize patching immediately.

Risk to organizations includes unauthorized access and control over the affected device due to buffer overflow exploitation. Given the network attack vector and low complexity, the risk is heightened, especially for devices exposed to the internet.

As of now, there are no known public exploits or proof of concept (PoC) available for this vulnerability. However, given the nature of the issue, it remains crucial for organizations to monitor their defenses.

Organizations should address this vulnerability in their priority patch cycle, ensuring that all affected systems are updated with the latest firmware.

Vulnerability Details

This vulnerability allows a remote attacker to exploit the function setWiFiBasicCfg, which is responsible for configuring WiFi settings. The manipulation of the ssid argument can lead to a buffer overflow, compromising the device's operation.

The CVSS score of 7.4 indicates high severity, reflecting the potential for significant impact. Organizations need to assess their potential exposure and apply necessary patches.

The vulnerability affects Totolink LR350 firmware version 9.3.5u.6369_B20220309, which is the only version identified as vulnerable. The vulnerability was published on January 19, 2026.

Technical Analysis

The root cause of this vulnerability is improper validation of input parameters, specifically during the handling of the ssid argument in the setWiFiBasicCfg function. The attack vector is network-based, allowing remote exploitation without physical access to the device.

The attack complexity is low, as no special conditions are required for exploitation, and the privileges required are also low. Attackers may initiate the attack without user interaction, which increases the risk.

The impacts of exploitation are significant: confidentiality, integrity, and availability are all rated as high, indicating that a successful attack could lead to complete loss of control over the device. This vulnerability is classified under CWE-119 and CWE-120.

Risk & Impact Analysis

Real-world deployment risks include unauthorized access to network resources, potential data exfiltration, and disruption of service. Given the device's role in network infrastructure, the blast radius can be significant, affecting other connected systems.

Organizations should be aware that the attack may not be limited to the exposed device, as compromised devices can serve as entry points for further attacks. The urgency assessment based on the CVSS score indicates that organizations should prioritize mitigation efforts.

Signal	Status
Known Exploit	No
Public PoC	No
Actively Exploited	No
Ransomware Use	No

Affected Versions

The vulnerability affects Totolink LR350 firmware version 9.3.5u.6369_B20220309. Organizations should ensure that this version is updated to mitigate risks associated with this vulnerability.

Mitigation & Remediation

Organizations are advised to apply patches as soon as they become available. In the absence of an immediate patch, consider implementing network segmentation and monitoring to limit exposure.Penetration testing can also help identify weaknesses and validate defenses against potential exploitation.

Detection Guidance

Monitor logs for unusual access patterns and configuration changes. Behavioral anomalies such as unexpected reboots or performance degradation may also indicate exploitation attempts.

AppSecure Threat Intelligence Insight

This vulnerability highlights the ongoing need for robust security practices in network devices. As the potential for exploitation exists, organizations must remain vigilant.

For further guidance on security assessments, organizations can refer to application security assessments and explore best practices in red teaming to fortify defenses.

Finally, organizations should consider reviewing continuous penetration testing strategies to improve their overall security posture.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

CVE ID	Title	Severity	Vulnerability Type	Published
CVE-2025-65418	CVE-2025-65418: High Vulnerability in docuFORM Managed Print Service Client	HIGH	Path Traversal	May 11, 2026
CVE-2025-65417	CVE-2025-65417: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	XSS	May 11, 2026
CVE-2025-65416	CVE-2025-65416: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Unrestricted File Upload	May 11, 2026
CVE-2025-65415	CVE-2025-65415: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Session Fixation	May 11, 2026
CVE-2025-61314	CVE-2025-61314: High Vulnerability in GmbH Mecury Managed Print Services	HIGH	XSS	May 11, 2026

CVE-2026-1156: High Vulnerability in Totolink LR350 Firmware