{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/wa300-5.2cu.7112_b20190227/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-7719"}],"_cs_exploited":false,"_cs_products":["WA300 5.2cu.7112_B20190227"],"_cs_severities":["critical"],"_cs_tags":["buffer overflow","remote code execution","cve-2026-7719","totolink"],"_cs_type":"advisory","_cs_vendors":["Totolink"],"content_html":"\u003cp\u003eA critical buffer overflow vulnerability, identified as CVE-2026-7719, has been discovered in Totolink WA300 version 5.2cu.7112_B20190227. This vulnerability resides within the \u003ccode\u003eloginauth\u003c/code\u003e function of the \u003ccode\u003e/cgi-bin/cstecgi.cgi\u003c/code\u003e file, affecting the POST Request Handler component. The vulnerability is triggered by manipulating the \u003ccode\u003ehttp_host\u003c/code\u003e argument in a POST request. The exploit is publicly available, increasing the risk of widespread exploitation. This vulnerability allows for remote code execution, potentially granting attackers full control over the affected device. The affected version was released in February 2019. Defenders should prioritize patching or mitigating this vulnerability to prevent potential compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable Totolink WA300 device running firmware version 5.2cu.7112_B20190227.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request targeting the \u003ccode\u003e/cgi-bin/cstecgi.cgi\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe crafted POST request includes a specially crafted \u003ccode\u003ehttp_host\u003c/code\u003e argument designed to overflow the buffer in the \u003ccode\u003eloginauth\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe vulnerable \u003ccode\u003eloginauth\u003c/code\u003e function processes the \u003ccode\u003ehttp_host\u003c/code\u003e argument without proper bounds checking.\u003c/li\u003e\n\u003cli\u003eThe oversized \u003ccode\u003ehttp_host\u003c/code\u003e argument overwrites adjacent memory regions, including the return address on the stack.\u003c/li\u003e\n\u003cli\u003eUpon completion of the \u003ccode\u003eloginauth\u003c/code\u003e function, the overwritten return address is used, redirecting execution to attacker-controlled code.\u003c/li\u003e\n\u003cli\u003eThe attacker-controlled code executes with elevated privileges, allowing the attacker to execute arbitrary commands on the device.\u003c/li\u003e\n\u003cli\u003eThe attacker gains complete control of the device, potentially using it for malicious purposes such as botnet participation, data theft, or further network penetration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-7719 allows a remote attacker to execute arbitrary code on the vulnerable Totolink WA300 device. This can lead to complete device compromise, allowing the attacker to steal sensitive information, use the device as a botnet node, or pivot to other devices on the network. Given the public availability of the exploit, widespread exploitation is possible, potentially affecting a large number of home and small business networks using the vulnerable device.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Totolink WA300 HTTP Host Buffer Overflow Attempt\u003c/code\u003e to identify exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to \u003ccode\u003e/cgi-bin/cstecgi.cgi\u003c/code\u003e with unusually long \u003ccode\u003ehttp_host\u003c/code\u003e headers.\u003c/li\u003e\n\u003cli\u003eConsider deploying a web application firewall (WAF) rule to filter out malicious requests targeting CVE-2026-7719.\u003c/li\u003e\n\u003cli\u003eUpgrade to a patched version of the firmware or replace the affected device to remediate the vulnerability.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T02:15:58Z","date_published":"2026-05-04T02:15:58Z","id":"/briefs/2024-01-totolink-wa300-buffer-overflow/","summary":"A buffer overflow vulnerability exists in Totolink WA300 version 5.2cu.7112_B20190227 within the loginauth function of the /cgi-bin/cstecgi.cgi file, specifically affecting the POST Request Handler component, triggerable via manipulation of the http_host argument, and remotely exploitable with a publicly available exploit.","title":"Totolink WA300 Buffer Overflow Vulnerability (CVE-2026-7719)","url":"https://feed.craftedsignal.io/briefs/2024-01-totolink-wa300-buffer-overflow/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-7717"}],"_cs_exploited":false,"_cs_products":["WA300 5.2cu.7112_B20190227"],"_cs_severities":["critical"],"_cs_tags":["buffer-overflow","remote-code-execution","router"],"_cs_type":"threat","_cs_vendors":["Totolink"],"content_html":"\u003cp\u003eA buffer overflow vulnerability has been identified in Totolink WA300 wireless router, specifically version 5.2cu.7112_B20190227. The vulnerability resides within the \u003ccode\u003eUploadCustomModule\u003c/code\u003e function of the \u003ccode\u003e/cgi-bin/cstecgi.cgi\u003c/code\u003e file, a component of the POST Request Handler. The identified vulnerability allows a remote attacker to cause a buffer overflow through manipulation of the \u003ccode\u003eFile\u003c/code\u003e argument within a crafted POST request. Public proof-of-concept exploit code is available, increasing the likelihood of exploitation. This vulnerability poses a significant risk, as successful exploitation could lead to arbitrary code execution, potentially allowing attackers to fully compromise affected devices. Defenders should prioritize detection and mitigation strategies to prevent exploitation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable Totolink WA300 device running firmware version 5.2cu.7112_B20190227.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious POST request targeting the \u003ccode\u003e/cgi-bin/cstecgi.cgi\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe POST request includes a \u003ccode\u003eFile\u003c/code\u003e argument with a payload exceeding the buffer size allocated for the \u003ccode\u003eUploadCustomModule\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eUploadCustomModule\u003c/code\u003e function processes the POST request without proper bounds checking on the \u003ccode\u003eFile\u003c/code\u003e argument.\u003c/li\u003e\n\u003cli\u003eThe oversized \u003ccode\u003eFile\u003c/code\u003e argument overwrites adjacent memory regions, including potentially critical program data and control flow instructions.\u003c/li\u003e\n\u003cli\u003eThe buffer overflow allows the attacker to inject and execute arbitrary code on the device.\u003c/li\u003e\n\u003cli\u003eThe attacker gains remote shell access to the device with elevated privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker could then use the compromised device to pivot into the internal network or cause a denial-of-service condition.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this buffer overflow vulnerability can lead to complete compromise of the affected Totolink WA300 device. An attacker could gain unauthorized access to the device\u0026rsquo;s configuration, intercept network traffic, or use the device as a bot in a larger attack. Given the high CVSS score of 8.8, the impact is considered critical. Home and small business networks using the affected router model are at risk. The vulnerability allows for remote code execution, leading to significant potential for damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Totolink WA300 UploadCustomModule Buffer Overflow Attempt\u003c/code\u003e to detect malicious POST requests targeting the vulnerable endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to \u003ccode\u003e/cgi-bin/cstecgi.cgi\u003c/code\u003e with unusually large \u003ccode\u003eFile\u003c/code\u003e parameters, as indicated in the Sigma rule.\u003c/li\u003e\n\u003cli\u003eApply any available firmware updates from Totolink to patch CVE-2026-7717 if they become available.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the impact of a compromised router on other internal network resources.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T01:16:05Z","date_published":"2026-05-04T01:16:05Z","id":"/briefs/2026-05-totolink-wa300-buffer-overflow/","summary":"A remote buffer overflow vulnerability exists in the UploadCustomModule function of the /cgi-bin/cstecgi.cgi file in the POST Request Handler component of Totolink WA300 version 5.2cu.7112_B20190227, which can be exploited by manipulating the File argument.","title":"Totolink WA300 Buffer Overflow Vulnerability in UploadCustomModule","url":"https://feed.craftedsignal.io/briefs/2026-05-totolink-wa300-buffer-overflow/"}],"language":"en","title":"CraftedSignal Threat Feed — WA300 5.2cu.7112_B20190227","version":"https://jsonfeed.org/version/1.1"}