Skip to content
Threat Feed
Subscribe
critical threat

Totolink N300RH Stack-Based Buffer Overflow Vulnerability (CVE-2026-10187)

A stack-based buffer overflow vulnerability, CVE-2026-10187, exists in the setWiFiBasicConfig function of the wireless.so file in the Web Management Interface of Totolink N300RH version 6.1c.1353_B20190305, allowing a remote attacker to execute arbitrary code by manipulating the KeyStr argument.

A stack-based buffer overflow vulnerability has been identified in Totolink N300RH router, version 6.1c.1353_B20190305. The vulnerability resides in the setWiFiBasicConfig function within the wireless.so file, a component of the device's web management interface. Publicly available exploits demonstrate that a remote attacker can leverage this vulnerability by manipulating the KeyStr argument passed to the vulnerable function, resulting in arbitrary code execution on the device. The affected version was released in March 2019, suggesting that many devices are potentially vulnerable due to lack of updates. This poses a significant risk, as successful exploitation could allow attackers to gain full control of the router, compromise connected devices, and intercept network traffic.

Attack Chain

  1. The attacker identifies a vulnerable Totolink N300RH router running firmware version 6.1c.1353_B20190305.
  2. The attacker sends a crafted HTTP request to the router's web management interface.
  3. The HTTP request targets the setWiFiBasicConfig function.
  4. The request includes a malicious payload in the KeyStr argument, designed to overflow the stack buffer.
  5. The wireless.so library processes the request without proper bounds checking on the KeyStr argument.
  6. The buffer overflow overwrites critical memory regions, including the return address.
  7. Upon returning from the function, execution jumps to the attacker-controlled address, allowing for arbitrary code execution.
  8. The attacker gains a shell on the router and can perform malicious actions.

Impact

Successful exploitation of CVE-2026-10187 can lead to full compromise of the Totolink N300RH router. Attackers can leverage this access to intercept network traffic, modify DNS settings, create backdoors, and potentially compromise other devices on the network. Due to the high CVSS score (9.8), the impact is considered critical, allowing for complete control over the affected device. Given the nature of routers as network gateways, this vulnerability can serve as an entry point for wider attacks on home or small business networks.

Recommendation

  • Deploy the Sigma rule Detect CVE-2026-10187 Exploitation Attempt via Long KeyStr to identify suspicious HTTP requests targeting the setWiFiBasicConfig function with abnormally long KeyStr arguments.
  • Block or investigate any traffic to the setWiFiBasicConfig endpoint originating from unexpected IP addresses, based on observed network connections.
  • Monitor webserver logs for POST requests to the setWiFiBasicConfig endpoint, based on webserver log source.

Detection coverage 2

Detect CVE-2026-10187 Exploitation Attempt via Long KeyStr

high

Detects CVE-2026-10187 exploitation attempt by monitoring for HTTP POST requests to setWiFiBasicConfig with excessively long KeyStr values, indicating a potential buffer overflow attempt.

sigma tactics: initial_access techniques: T1190 sources: webserver

Detect CVE-2026-10187 Exploitation Attempt via setWiFiBasicConfig

medium

Detects CVE-2026-10187 exploitation attempt by monitoring HTTP POST requests to the web management interface specifically targeting the `setWiFiBasicConfig` function in the wireless settings.

sigma tactics: initial_access techniques: T1190 sources: webserver

Detection queries are available on the platform. Get full rules →