CVE-2026-6168
Stack-Based Buffer Overflow in TOTOLINK A7000R WiFi Config CGI
Publication date: 2026-04-13
Last updated on: 2026-04-13
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| totolink | a7000r | to 9.1.0u.6115 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the TOTOLINK A7000R router firmware version 9.1.0u.6115 and earlier, specifically in the function setWiFiEasyGuestCfg within the cstecgi.cgi binary file.
The issue arises because the function does not properly validate the length of the ssid5g parameter before processing it. The ssid5g parameter is obtained from the front-end, URL-decoded, and then copied into a fixed-size 128-byte buffer on the stack without boundary checks.
An attacker can exploit this by sending a crafted HTTP POST request with an excessively long ssid5g value, causing a stack-based buffer overflow. This overflow can overwrite adjacent memory on the stack, potentially leading to undefined behavior or remote code execution.
How can this vulnerability impact me? :
The vulnerability allows remote attackers to cause a stack-based buffer overflow by sending a specially crafted HTTP POST request to the router's CGI interface.
This can lead to serious impacts such as remote code execution, denial of service, or unauthorized control over the affected device.
Because the exploit is publicly available, attackers can easily leverage this flaw to compromise the router remotely without user interaction.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending a crafted HTTP POST request to the endpoint /cgi-bin/cstecgi.cgi on the TOTOLINK A7000R router. The request should include the parameter ssid5g with an excessively long string value that exceeds the 128-byte buffer size.
A proof-of-concept detection method involves using a command-line tool like curl to send the malicious POST request with content type application/x-www-form-urlencoded and parameters such as key, hssid, wifiOff, wifiOff5g, topicurl set to "setWiFiEasyGuestCfg", and ssid5g filled with a long string of characters.
- Example curl command to test the vulnerability: curl -X POST http://<router-ip>/cgi-bin/cstecgi.cgi -H "Content-Type: application/x-www-form-urlencoded" -d "key=somekey&hssid=somehssid&wifiOff=0&wifiOff5g=0&topicurl=setWiFiEasyGuestCfg&ssid5g=$(python3 -c 'print("a"*200)')"
If the router is vulnerable, this request may cause abnormal behavior such as a crash or reboot, indicating the presence of the stack-based buffer overflow.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the router's web management interface to trusted networks only, such as limiting access to the local network or specific IP addresses.
Avoid exposing the router's CGI interface to the internet to prevent remote exploitation.
Monitor for unusual router behavior such as crashes or reboots that may indicate exploitation attempts.
Check for and apply any available firmware updates from TOTOLINK that address this vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.