Live Exposure Defense: From CVE to Confirmed Exposure in 12 Hours – See more

Back
New CVE Detected

CVE-2026-10187 – Stack-Based Buffer Overflow (RCE) – Totolink N300RH (firmware 6.1c.1353_B20190305)

Get Real-Time CVE Alerts to Your Email

Be the first to know when new zero-days emerge

Summary

CVE-2026-10187 is a critical stack-based buffer overflow vulnerability in the Web Management Interface of the Totolink N300RH wireless router (firmware 6.1c.1353_B20190305). The flaw resides in the setWiFiBasicConfig function within the wireless.so library, where user-supplied input to the KeyStr argument is written into a fixed-size stack buffer without bounds checking. It carries a CVSS v3.1 score of 9.8 (Critical) and can be exploited remotely without authentication or user interaction, with a public exploit already in circulation.

Technical details

  • Root cause: Insufficient input validation in the setWiFiBasicConfig function of wireless.so; oversized data supplied to the KeyStr argument overflows a fixed-length stack buffer (CWE-121: Stack-Based Buffer Overflow).
  • Trigger conditions: An unauthenticated attacker sends a crafted HTTP POST request to the /cgi-bin/cstecgi.cgi endpoint of the router’s Web Management Interface, passing an excessively long value for the KeyStr parameter.
  • Attack vector: Network-accessible; no authentication required, no user interaction required, no prior foothold needed — the management interface must be reachable by the attacker.
  • Impact: Full compromise of confidentiality, integrity, and availability of the affected device; the overflow can redirect execution flow, consistent with unauthenticated remote code execution (RCE). The device could be weaponized for botnet recruitment, lateral movement, or persistent network access.
  • Public exploit: A proof-of-concept exploit is publicly available (CVSS 4.0 Exploit Maturity: Proof-of-Concept).

Affected software

  • Totolink N300RH — firmware version 6.1c.1353_B20190305

Severity

  • CVSS v3.1 Base Score: 9.8 (Critical)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Mitigation and recommended actions

  • Patch: No vendor-issued firmware patch has been documented for this vulnerability at the time of publication. Monitor the Totolink official support site for firmware updates and apply them immediately upon release.
  • Immediate workarounds (apply now):
    • Disable WAN-facing web management access: Restrict the router’s HTTP management interface to LAN-only access; ensure the management port is not reachable from the public internet.
    • Firewall/ACL enforcement: Use upstream firewall rules to block inbound access to the router’s web management port (typically TCP 80, 8080, 8443, or 1024, depending on configuration) from external networks.
    • Network segmentation: Isolate SOHO routers from critical network segments to limit the blast radius of a compromise.
    • Device replacement: Given the age of the firmware (2019) and the absence of a patch, organizations should evaluate replacing end-of-life Totolink N300RH devices with actively maintained alternatives.

IONIX Status

The IONIX research team is tracking ongoing exploitation attempts and recommends immediate patching. Potentially affected assets are outlined in this post.

References

Are you exposed?

Get a free report of your organization’s exposure to this CVE and threat

  • Mapping of all Assets with this Technology
  • Identification of potentially exposed assets to this CVE
  • Confirmation of verified exploitable assets
Get Exposure Report

How IONIX’s External Exposure Management Platform Detects and Validates
Zero-Days to Shrink MTTR

1

Map your entire attack surface (continously)

IONIX uses multi-factor discovery methods, including DNS analysis, certificate mapping, metadata inspection, and more, to automatically map every internet-facing asset across your environment. This includes cloud instances, third-party platforms, shadow IT, and even forgotten infrastructure that traditional tools miss.

2

Monitor for new CVEs

Dozens of threat intel feeds using agentic technology are continuously analyzed to detect the appearance of proof-of-concept code, exploit kits, and indicators of active targeting. IONIX goes further by applying AI to proactively evaluate whether emerging vulnerabilities are likely to be exploited, even before PoCs go public.

3

Identify Potential External Exposures

Not all CVEs matter. IONIX filters vulnerabilities by asking attacker-centric questions: Can it be reached from the internet? Does it require authentication? Is it being exploited in the wild? This dramatically reduces noise and focuses teams on threats that can actually be weaponized.

4

Create Safe, Scalable Exploit Validations

IONIX transforms real-world PoCs into safe, non-intrusive test payloads that can be run in production environments without disruption. These simulations are precisely targeted to the systems that are vulnerable, ensuring rapid validation without unnecessary load.

5

Execute Exploit Validations

By combining context about software stack, versioning, exposure status, and reachability, IONIX ensures that only the right payloads are executed against the right assets, maximizing efficiency and minimizing risk.

6

Drive Fast and Actionable Remediation

Results are routed through integrations with ticketing, SOAR, and SIEM tools. Issues are written in plain language, bundled into remediation clusters, and prioritized based on asset criticality, exploitability, and blast radius. This shortens mean time to remediation (MTTR) and empowers teams to act with confidence.

Are you exposed?

Get a free report of your organization’s exposure to this CVE and threat

  • Mapping of all Assets with this Technology
  • Identification of potentially exposed assets to this CVE
  • Confirmation of verified exploitable assets
Get Exposure Report
Close

Get Real-Time CVE Alerts to Your Email

Be the first to know when new zero-days emerge