CVE-2026-1149 in LR350
Summary
by MITRE • 01/19/2026
A vulnerability was identified in Totolink LR350 9.3.5u.6369_B20220309. This issue affects the function setDiagnosisCfg of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. The manipulation of the argument ip leads to command injection. The attack can be initiated remotely. The exploit is publicly available and might be used.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 01/29/2026
The vulnerability CVE-2026-1149 represents a critical command injection flaw within the Totolink LR350 router firmware version 9.3.5u.6369_B20220309. This issue resides in the POST Request Handler component of the device's web interface, specifically within the setDiagnosisCfg function located in the /cgi-bin/cstecgi.cgi file. The vulnerability stems from inadequate input validation and sanitization of the ip parameter, which is processed through a remote web interface that accepts user-supplied data without proper security controls. The affected device operates with a web-based management interface that processes HTTP POST requests containing configuration parameters, making it susceptible to exploitation through network-based attacks.
The technical implementation of this vulnerability allows attackers to inject arbitrary commands into the system by manipulating the ip argument parameter within the POST request to the cstecgi.cgi endpoint. When the router processes this malformed input, it fails to properly sanitize the data before executing system commands, enabling an attacker to execute arbitrary shell commands with the privileges of the web server process. This command injection occurs because the application directly incorporates user-supplied input into system command execution contexts without appropriate validation or encoding. The vulnerability follows the common pattern of insufficient input sanitization, which is classified under CWE-77 and aligns with the ATT&CK technique T1059.001 for command and script injection. The attack vector is particularly dangerous because it requires no authentication or physical access to the device, as the vulnerability can be exploited through unauthenticated remote network requests.
The operational impact of this vulnerability is severe and encompasses multiple critical security implications for affected networks. An attacker who successfully exploits this command injection vulnerability can gain complete control over the affected router, potentially enabling them to modify network configurations, redirect traffic, establish backdoors, or use the device as a pivot point for attacking internal network resources. The remote exploit capability means that attackers can target vulnerable devices from anywhere on the internet, making this vulnerability particularly dangerous for organizations that have exposed their router management interfaces to external networks. The publicly available exploit increases the likelihood of widespread exploitation, as malicious actors can readily leverage this vulnerability without requiring advanced technical skills. Organizations may face significant risks including unauthorized network access, data exfiltration, and potential use of compromised devices for launching further attacks against other systems within the network perimeter.
Mitigation strategies for CVE-2026-1149 should prioritize immediate firmware updates from the vendor when available, as this represents the most effective protection against the vulnerability. Network administrators should implement strict firewall rules to block external access to the router's management interface, particularly on ports commonly used for web administration such as port 80 and 443. The principle of least privilege should be applied by restricting access to the router's management interface to only trusted network segments and IP addresses. Network segmentation techniques can help limit the potential impact of exploitation by isolating critical network components from potentially compromised devices. Additionally, monitoring network traffic for suspicious patterns related to the cstecgi.cgi endpoint and implementing intrusion detection systems can help identify exploitation attempts. Organizations should also consider disabling unnecessary services and features on the router, including remote management capabilities, and regularly audit their network infrastructure to identify and remediate similar vulnerabilities. The ATT&CK framework suggests implementing network boundaries and access controls as defensive measures against this type of exploitation, while CWE guidelines emphasize the importance of input validation and secure coding practices to prevent such injection vulnerabilities in network device firmware development.