PT-2026-3433 · Totolink · Totolink Lr350
Wxhwxhwxh_Tutu
·
Published
2025-01-10
·
Updated
2026-01-29
·
CVE-2026-1150
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Totolink LR350 version 9.3.5u.6369 B20220309
Description
A security flaw exists in Totolink LR350. The issue is due to command injection within the
setTracerouteCfg function of the /cgi-bin/cstecgi.cgi file, specifically in the POST Request Handler component. Manipulation of the command argument allows for remote execution of commands. The exploit for this issue has been publicly released.Recommendations
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Exploit
Command Injection
Special Elements Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Totolink Lr350