CVE-2026-1150
Unknown Unknown - Not Provided
Command Injection in Totolink LR350 POST Request Handler

Publication date: 2026-01-19

Last updated on: 2026-04-29

Assigner: VulDB

Description
A security flaw has been discovered in Totolink LR350 9.3.5u.6369_B20220309. Impacted is the function setTracerouteCfg of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. The manipulation of the argument command results in command injection. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-19
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-01-19
EPSS Evaluated
2026-06-15
NVD
CVE-2026-1150
EUVD
EUVD-2026-3227
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
totolink lr350 9.3.5u.6369_b20220309
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-1150 is a command injection vulnerability in the Totolink LR350 router firmware version 9.3.5u.6369_B20220309. It exists in the function setTracerouteCfg within the file /cgi-bin/cstecgi.cgi, which handles POST requests. The vulnerability arises because the "command" parameter from the POST request is not properly sanitized or validated before being executed by the system. This allows an attacker to remotely inject and execute arbitrary system commands on the device by sending crafted POST requests to the vulnerable endpoint. [1, 2]

Impact Analysis

This vulnerability can impact you by allowing a remote attacker to execute arbitrary commands on the affected Totolink LR350 router without authentication. This can compromise the confidentiality, integrity, and availability of the device, potentially leading to unauthorized access, control over the device, disruption of network services, or further attacks within the network. Since the exploit is publicly available and easy to execute, the risk of exploitation is significant. [2]

Detection Guidance

This vulnerability can be detected by monitoring for suspicious POST requests to the endpoint /cgi-bin/cstecgi.cgi with the parameter setTracerouteCfg containing the "command" argument. Detection involves inspecting network traffic for such crafted POST requests that attempt command injection. Specific detection commands are not provided in the resources. [1, 2]

Mitigation Strategies

No known countermeasures or mitigations have been identified for this vulnerability. The suggested immediate step is to replace the affected product (Totolink LR350 router version 9.3.5u.6369_B20220309) to avoid exploitation. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1150. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart