https://feed.craftedsignal.io/products/nr1800x-9.1.0u.6279_b20210910/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioFri, 01 May 2026 03:16:01 +0000https://feed.craftedsignal.io/briefs/2026-05-totolink-rce/Fri, 01 May 2026 03:16:01 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-totolink-rce/A stack-based buffer overflow vulnerability (CVE-2026-7546) in the Totolink NR1800X router allows remote attackers to achieve arbitrary code execution by sending a crafted HTTP request with a manipulated Host header to the vulnerable lighttpd component.A critical security vulnerability, CVE-2026-7546, affects Totolink NR1800X routers running firmware version 9.1.0u.6279_B20210910. The vulnerability resides within the find_host_ip function of the lighttpd web server component. By exploiting this flaw, a remote, unauthenticated attacker can trigger a stack-based buffer overflow through manipulation of the Host argument in an HTTP request. The publicly disclosed exploit allows attackers to potentially gain complete control of the device. This vulnerability poses a significant risk to home and small business networks utilizing the affected Totolink router model, as successful exploitation leads to arbitrary code execution.

Attack Chain

1. The attacker identifies a vulnerable Totolink NR1800X router running firmware version 9.1.0u.6279_B20210910.
2. The attacker crafts a malicious HTTP request targeting the router’s web interface.
3. The crafted request includes a Host header with a string exceeding the buffer size allocated in the find_host_ip function within the lighttpd component.
4. The router’s lighttpd server processes the HTTP request and passes the Host header value to the vulnerable function.
5. The find_host_ip function attempts to store the oversized Host value in a stack-allocated buffer.
6. A stack-based buffer overflow occurs due to the insufficient buffer size.
7. The overflow overwrites adjacent memory on the stack, potentially including the return address.
8. The attacker gains arbitrary code execution on the device.

Impact

Successful exploitation of CVE-2026-7546 allows a remote attacker to execute arbitrary code on the vulnerable Totolink NR1800X device. This can lead to complete control of the router, allowing the attacker to modify router settings, intercept network traffic, or use the compromised router as a pivot point for further attacks within the network. Given the nature of stack-based buffer overflows, the attacker can potentially install persistent backdoors or malware. This presents a significant risk to users, potentially exposing sensitive data and infrastructure to unauthorized access.

Recommendation

• Apply available patches released by Totolink to remediate CVE-2026-7546.
• Monitor network traffic for suspicious HTTP requests targeting Totolink routers, specifically looking for abnormally long Host headers with the Sigma rule “Detect Suspiciously Long Host Header”.
• Implement network segmentation to limit the impact of a compromised router.
• Review and harden router configurations, including disabling remote administration if not required.

]]>criticaladvisorycveremote code executionbuffer overflowrouterhttps://feed.craftedsignal.io/briefs/2026-05-totolink-command-injection/Fri, 01 May 2026 03:16:01 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-totolink-command-injection/A command injection vulnerability exists in Totolink NR1800X version 9.1.0u.6279_B20210910, affecting the function sub_41A68C of the file /cgi-bin/cstecgi.cgi; by manipulating the argument setUssd, a remote attacker can inject commands, and an exploit is publicly available.A command injection vulnerability, identified as CVE-2026-7548, affects Totolink NR1800X router version 9.1.0u.6279_B20210910. The vulnerability resides within the sub_41A68C function of the /cgi-bin/cstecgi.cgi file. By manipulating the setUssd argument, a remote attacker can inject arbitrary commands into the system. Publicly available exploit code makes exploitation easier. This vulnerability poses a significant risk as it allows unauthenticated remote attackers to execute arbitrary commands on the affected device, potentially leading to full system compromise.

Attack Chain

1. The attacker identifies a vulnerable Totolink NR1800X device running firmware version 9.1.0u.6279_B20210910.
2. The attacker sends a crafted HTTP request to the /cgi-bin/cstecgi.cgi endpoint.
3. The HTTP request includes the setUssd argument with a malicious payload designed to inject a command.
4. The sub_41A68C function processes the setUssd argument without proper sanitization.
5. The injected command is executed by the system with the privileges of the web server process.
6. The attacker gains initial access and can execute arbitrary commands on the device.
7. The attacker may then use the command execution to escalate privileges, install malware, or pivot to other devices on the network.

Impact

Successful exploitation of this vulnerability allows an attacker to execute arbitrary commands on the affected Totolink NR1800X router. This could lead to complete compromise of the device, allowing the attacker to control network traffic, modify router settings, or use the router as a pivot point to attack other devices on the network. Given the wide usage of Totolink routers, a large number of devices could be vulnerable.

Recommendation

• Monitor web server logs for requests to /cgi-bin/cstecgi.cgi containing suspicious characters or command injection attempts in the setUssd parameter, using the Sigma rule provided below.
• Implement rate limiting on the /cgi-bin/cstecgi.cgi endpoint to mitigate brute-force exploitation attempts.
• Apply available patches provided by Totolink to address the CVE-2026-7548 vulnerability.
• Deploy the Sigma rule to your SIEM and tune for your environment.

]]>criticaladvisorycommand-injectionrouternetwork