What is CVE-2026-1158?

A high-severity buffer overflow vulnerability has been identified in Totolink LR350 9.3.5u.6369_B20220309. Organizations need to address this issue promptly to mitigate risks associated with remote attacks.

What is the severity of CVE-2026-1158?

CVE-2026-1158 has a severity rating of HIGH with a CVSS base score of 7.4.

CVE-2026-1158 | Totolink - Buffer Overflow

A security flaw has been discovered in Totolink LR350 9.3.5u.6369_B20220309. This vulnerability affects the function setWizardCfg of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. Performing a manipulation of the argument ssid results in buffer overflow. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks.

With a CVSS score of 7.4, this vulnerability is classified as high severity. It poses significant risk to organizations, especially considering its remote exploitability and low complexity requirements. Immediate action is necessary to prevent potential exploitation.

Risk to organizations includes unauthorized access and control over vulnerable devices, leading to potential data breaches or further network compromises. Organizations should prioritize patching immediately.

Currently, there are no known exploits available, but the risk remains high due to the public disclosure of the vulnerability. Organizations must remain vigilant and ready to implement necessary mitigations.

Given the nature of this vulnerability, it should be addressed in priority patch cycles to mitigate risks effectively.

Organizations should also consider implementing additional security measures to monitor and protect against potential exploitation attempts.

Vulnerability Details

The CVSS score for this vulnerability is 7.4, indicating high severity. The vulnerability allows remote attackers to exploit the system without requiring user interaction.

The vulnerability's publication date was January 19, 2026, and it is classified under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-120 (Buffer Copy without Checking Size of Input).

Technical Analysis

The root cause of this vulnerability lies in improper handling of the ssid argument in the setWizardCfg function. This oversight leads to a buffer overflow, allowing attackers to execute arbitrary code remotely.

The attack vector is network-based, and the attack complexity is low, meaning that attackers can exploit this vulnerability with minimal effort. The privileges required for exploitation are low, and no user interaction is necessary.

Exploitation of this vulnerability can result in high impacts across confidentiality, integrity, and availability, making it a critical concern for affected organizations.

Risk & Impact Analysis

Real-world deployment risk is significant due to the widespread use of the affected Totolink LR350 device. Organizations using this device should evaluate their exposure and take immediate action.

The potential blast radius includes all devices running the vulnerable firmware version, which could lead to widespread unauthorized access and control if exploited.

Organizations should assess the urgency based on the CVSS score of 7.4 and prioritize patching as part of their security management practices.

Exploitation Status

Signal	Status
Known Exploit	Yes
Public PoC	No
Actively Exploited	No
Ransomware Use	No

Affected Versions

The vulnerable version is Totolink LR350 firmware version 9.3.5u.6369_B20220309. All versions prior to vendor patch are affected.

Mitigation & Remediation

Organizations should prioritize patching the affected firmware as soon as possible. For those unable to immediately apply a patch, consider implementing network controls to restrict access to the vulnerable components. Regular monitoring for unusual activity on the network can also help mitigate the risk.

For further guidance, organizations may refer to our penetration testing services to ensure their systems are secure.

Detection Guidance

To detect potential exploitation attempts, organizations should monitor logs for unexpected POST requests to /cgi-bin/cstecgi.cgi, especially those containing unusual ssid arguments. Behavioral anomalies such as spikes in network traffic or unauthorized access attempts should also be investigated.

AppSecure Threat Intelligence Insight

The long-term significance of this vulnerability lies in its potential to compromise network security for a wide range of organizations using Totolink devices. Security teams should be aware of similar patterns in vulnerabilities that allow remote code execution through improper input handling.

Additionally, our API penetration testing guide provides insights on securing your API endpoints against similar vulnerabilities.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

CVE ID	Title	Severity	Vulnerability Type	Published
CVE-2025-65418	CVE-2025-65418: High Vulnerability in docuFORM Managed Print Service Client	HIGH	Path Traversal	May 11, 2026
CVE-2025-65417	CVE-2025-65417: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	XSS	May 11, 2026
CVE-2025-65416	CVE-2025-65416: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Unrestricted File Upload	May 11, 2026
CVE-2025-65415	CVE-2025-65415: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Session Fixation	May 11, 2026
CVE-2025-61314	CVE-2025-61314: High Vulnerability in GmbH Mecury Managed Print Services	HIGH	XSS	May 11, 2026

CVE-2026-1158: High Vulnerability in Totolink LR350 Firmware