CVE-2026-15701
Received Received - Intake

BaseFortify

Vulnerability report for CVE-2026-15701, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-14

Last updated on: 2026-07-14

Assigner: VulDB

Description

A weakness has been identified in Totolink NR1800X 9.1.0u.6279_B20210910. Affected by this issue is the function Form_Logout of the file /formLogout.htm of the component lighttpd. This manipulation of the argument Host causes stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-14
Last Modified
2026-07-14
Generated
2026-07-14
AI Q&A
2026-07-14
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
totolink nr1800x 9.1.0u.6279_b20210910

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-121 A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
CWE-119 The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Mitigation Strategies

To mitigate the vulnerability in Totolink NR1800X 9.1.0u.6279_B20210910, follow these immediate steps:

  • Apply the latest firmware update from Totolink if available. Check the vendor's website (https://www.totolink.net) for patches or updated firmware versions that address this issue.
  • Restrict access to the router's web interface from untrusted networks. Use firewall rules to block external access to the router's HTTP/HTTPS ports (typically 80 and 443) from the internet.
  • Disable remote management features if they are not required. This prevents attackers from exploiting the vulnerability remotely.
  • Monitor network traffic for signs of exploitation attempts, such as HTTP requests containing 'formLogout.htm' with oversized Host headers. Use intrusion detection/prevention systems (IDS/IPS) to block such requests.
  • If possible, replace the router with a model that receives regular security updates or is not affected by this vulnerability.
Executive Summary

CVE-2026-15701 is a stack-based buffer overflow vulnerability in the Totolink NR1800X router, specifically in firmware version 9.1.0u.6279_B20210910. The issue occurs in the Form_Logout function of the lighttpd component, which is accessible via the /formLogout.htm file.

The vulnerability is triggered by manipulating the Host argument in an HTTP request. An attacker can send a specially crafted request with a Host header exceeding 245 bytes, which is then copied into a fixed-size stack buffer using an unsafe strcpy operation. This causes a stack-based buffer overflow, allowing remote code execution or denial of service.

The attack can be carried out remotely without authentication because the router's authentication check only verifies the presence of 'formLogout.htm' in the URI, not the user's credentials. This makes the vulnerability particularly dangerous, as it can be exploited by unauthenticated attackers.

  • Affected component: lighttpd binary at /usr/sbin/lighttpd, specifically the Form_Logout function.
  • Vulnerable function address: 0x00408C2C.
  • CWE classification: CWE-121 (Stack-based Buffer Overflow).
  • Exploitation method: Sending a malformed HTTP GET request with an oversized Host header.
Impact Analysis

This vulnerability can have severe impacts if you are using the affected Totolink NR1800X router with firmware version 9.1.0u.6279_B20210910.

  • Remote Code Execution (RCE): An attacker could exploit this vulnerability to execute arbitrary code on your router. This could allow them to take full control of the device, modify its settings, or use it as a pivot point to attack other devices on your network.
  • Denial of Service (DoS): The vulnerability could be used to crash the router, causing a disruption in your network connectivity and services.
  • Unauthorized Access: Since the exploit does not require authentication, attackers can gain access to your router without needing credentials. This could lead to further attacks, such as intercepting or modifying network traffic.
  • Network Compromise: If the router is compromised, attackers could potentially access sensitive information transmitted over your network, such as login credentials, personal data, or financial information.
  • Propagation of Attacks: A compromised router could be used to launch attacks against other devices or networks, potentially making you an unwitting participant in larger-scale attacks like botnets or distributed denial-of-service (DDoS) attacks.
Compliance Impact

This vulnerability can significantly impact compliance with various standards and regulations, depending on the context in which the affected router is used.

  • GDPR (General Data Protection Regulation): If the router is used in an environment where personal data of EU citizens is processed, a breach resulting from this vulnerability could lead to unauthorized access or disclosure of personal data. Under GDPR, organizations must implement appropriate technical measures to protect personal data. Failure to address this vulnerability could result in non-compliance, leading to fines of up to 4% of global annual revenue or €20 million, whichever is higher.
  • HIPAA (Health Insurance Portability and Accountability Act): For organizations handling protected health information (PHI) in the U.S., this vulnerability could lead to unauthorized access to PHI if the router is part of a healthcare network. HIPAA requires covered entities to implement safeguards to protect PHI, and a breach could result in significant penalties, including fines and corrective action plans.
  • PCI DSS (Payment Card Industry Data Security Standard): If the router is part of a network processing payment card data, this vulnerability could lead to unauthorized access to cardholder data. PCI DSS requires organizations to maintain a secure network, and failure to address this vulnerability could result in non-compliance, leading to fines, increased transaction fees, or loss of the ability to process payment cards.
  • NIST and ISO Standards: Many organizations adhere to frameworks like NIST SP 800-53 or ISO 27001, which require the implementation of security controls to protect information systems. This vulnerability represents a failure to implement adequate access controls and secure coding practices, potentially leading to non-compliance with these standards.

In summary, the vulnerability undermines the security controls required by these regulations and standards, potentially leading to legal, financial, and reputational consequences for affected organizations.

Detection Guidance

To detect the vulnerability in Totolink NR1800X 9.1.0u.6279_B20210910, you can check for the presence of the affected firmware version and inspect network traffic for suspicious HTTP requests targeting the vulnerable endpoint.

  • Verify the firmware version of your Totolink NR1800X router. If it matches V9.1.0u.6279_B20210910, the system is vulnerable.
  • Use network monitoring tools like Wireshark or tcpdump to capture HTTP traffic. Look for requests containing 'formLogout.htm' in the URI and a Host header exceeding 245 bytes. Example tcpdump command: tcpdump -i any -s 0 -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep -i 'formLogout.htm'.
  • Check the lighttpd binary on the router for the vulnerable function. If you have access to the router's filesystem, inspect /usr/sbin/lighttpd for the Form_Logout function at address 0x00408C2C.
  • Use vulnerability scanning tools like Nessus or OpenVAS to scan for CVE-2026-15701 on your network.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-15701. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart