CVE-2026-4976: Totolink LR350 Buffer Overflow Vulnerability

CVE-2026-4976 Overview

CVE-2026-4976 is a buffer overflow vulnerability in the Totolink LR350 router running firmware version 9.3.5u.6369_B20220309. The flaw resides in the setWiFiGuestCfg function within /cgi-bin/cstecgi.cgi. Attackers can trigger memory corruption by manipulating the ssid argument, which is not properly bounded before being copied into a fixed-size buffer. The vulnerability is exploitable remotely over the network and requires only low-privilege authentication. Public exploit details have been disclosed, increasing the risk of opportunistic abuse against exposed devices. The issue is classified under [CWE-119] (Improper Restriction of Operations within the Bounds of a Memory Buffer).

Critical Impact

Remote attackers with low privileges can corrupt memory on affected Totolink LR350 devices, potentially leading to arbitrary code execution or device compromise on the router serving the local network.

Affected Products

• Totolink LR350 hardware device
• Totolink LR350 firmware version 9.3.5u.6369_B20220309
• Deployments exposing the /cgi-bin/cstecgi.cgi management interface

Discovery Timeline

• 2026-03-27 - CVE-2026-4976 published to NVD
• 2026-04-03 - Last updated in NVD database

Technical Details for CVE-2026-4976

Vulnerability Analysis

The vulnerability exists in the setWiFiGuestCfg handler exposed through the Common Gateway Interface (CGI) endpoint /cgi-bin/cstecgi.cgi. This endpoint processes JSON-style configuration requests for the guest Wi-Fi network. The ssid parameter is read from the request body and copied into a stack-resident buffer without validating its length. Submitting an oversized ssid value overruns the buffer and corrupts adjacent stack data, including saved return addresses on MIPS-based router firmware.

Successful exploitation can crash the HTTP daemon, disable router management, or pivot to arbitrary code execution depending on stack layout and the presence of memory protections. Embedded routers like the LR350 commonly lack stack canaries and address space layout randomization (ASLR), which lowers exploitation complexity. The endpoint is reachable from any host able to send HTTP requests to the management interface.

Root Cause

The root cause is missing bounds checking on user-supplied input prior to a buffer copy operation, mapped to [CWE-119]. The setWiFiGuestCfg function trusts the caller-supplied ssid length and performs an unbounded string copy into a fixed-size destination buffer.

Attack Vector

An authenticated attacker sends a crafted HTTP POST request to /cgi-bin/cstecgi.cgi invoking the setWiFiGuestCfg action with an overlong ssid field. The request can originate from the local network or, where remote management is enabled, from the internet. No user interaction is required.

The vulnerability manifests when the CGI handler parses the JSON payload and copies the attacker-controlled ssid string into an undersized stack buffer. See the referenced Notion Configuration Guide and VulDB #353863 for additional technical detail.

Detection Methods for CVE-2026-4976

Indicators of Compromise

• HTTP POST requests to /cgi-bin/cstecgi.cgi containing the setWiFiGuestCfg action and unusually long ssid values exceeding typical Wi-Fi SSID limits (32 bytes).
• Unexpected reboots, HTTP daemon crashes, or service restarts on Totolink LR350 devices.
• Unauthorized changes to guest Wi-Fi configuration or new outbound connections from the router management plane.

Detection Strategies

• Inspect router HTTP and syslog telemetry for malformed requests to the cstecgi.cgi endpoint, focusing on payload size anomalies in ssid parameters.
• Deploy network intrusion detection signatures that flag oversized JSON parameters sent to known Totolink CGI endpoints.
• Correlate router crash events with preceding inbound HTTP traffic to identify probing attempts.

Monitoring Recommendations

• Forward router logs to a centralized SIEM or data lake and alert on repeated cstecgi.cgi requests from a single source.
• Monitor for new administrative sessions to the LR350 management interface from unexpected source addresses.
• Track firmware version and configuration drift across managed Totolink devices to detect tampering after exploitation.

How to Mitigate CVE-2026-4976

Immediate Actions Required

• Restrict access to the LR350 web management interface to trusted management VLANs and disable WAN-side remote administration.
• Rotate administrator credentials on affected devices to limit the pool of low-privilege accounts available to attackers.
• Audit guest Wi-Fi configuration for unexpected changes and inventory all exposed Totolink LR350 devices.

Patch Information

At the time of NVD publication on 2026-03-27, no vendor advisory or fixed firmware version had been published for CVE-2026-4976. Monitor the TOTOLINK Official Website for updated firmware releases addressing the setWiFiGuestCfg buffer overflow, and apply the patch as soon as it becomes available.

Workarounds

• Disable the guest Wi-Fi feature if it is not required, removing the attack path through setWiFiGuestCfg.
• Place the router management interface behind a firewall ACL permitting only known administrator hosts.
• Replace end-of-support Totolink LR350 hardware with currently supported devices where vendor patches are not forthcoming.

# Example firewall rule restricting access to the router management interface
# Replace 192.0.2.10 with the trusted administrator host and 192.168.1.1 with the router IP
iptables -A FORWARD -p tcp -d 192.168.1.1 --dport 80 -s 192.0.2.10 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.1.1 --dport 80 -j DROP
iptables -A FORWARD -p tcp -d 192.168.1.1 --dport 443 -s 192.0.2.10 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.1.1 --dport 443 -j DROP