{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-6194/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-6194"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2026-6194","buffer-overflow","totolink","router"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-6194 describes a stack-based buffer overflow vulnerability present in Totolink A3002MU router firmware version B20211125.1046. The vulnerability resides within the HTTP Request Handler, specifically in the \u003ccode\u003esub_410188\u003c/code\u003e function of the \u003ccode\u003e/boafrm/formWlanSetup\u003c/code\u003e file. A remote attacker can exploit this vulnerability by crafting a malicious HTTP request that manipulates the \u003ccode\u003ewan-url\u003c/code\u003e argument, leading to arbitrary code execution on the device. Publicly available exploit code increases the likelihood of exploitation. Successful exploitation allows an attacker to compromise the device and potentially gain control of the network.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable Totolink A3002MU router running firmware B20211125.1046.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request targeting the \u003ccode\u003e/boafrm/formWlanSetup\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes a \u003ccode\u003ewan-url\u003c/code\u003e argument with a payload exceeding the buffer size allocated for it in the \u003ccode\u003esub_410188\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe HTTP Request Handler processes the request and calls the vulnerable \u003ccode\u003esub_410188\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eDue to insufficient bounds checking, the oversized \u003ccode\u003ewan-url\u003c/code\u003e argument overflows the stack buffer.\u003c/li\u003e\n\u003cli\u003eThe attacker overwrites critical data on the stack, including the return address.\u003c/li\u003e\n\u003cli\u003eUpon returning from the \u003ccode\u003esub_410188\u003c/code\u003e function, execution is redirected to an attacker-controlled address.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary code, potentially gaining full control of the router.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-6194 can lead to complete compromise of the affected Totolink A3002MU router. This allows attackers to eavesdrop on network traffic, modify DNS settings, inject malicious code into web pages served to connected clients, or use the compromised router as a botnet node. Given the widespread use of these routers, a large number of devices could be at risk, potentially impacting home and small business networks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests to \u003ccode\u003e/boafrm/formWlanSetup\u003c/code\u003e with unusually long \u003ccode\u003ewan-url\u003c/code\u003e parameters to detect potential exploitation attempts (see Sigma rule \u0026ldquo;Detect Suspicious WAN-URL Parameter Length\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM to detect and alert on potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eIf possible, block requests matching the patterns identified in the Sigma rules at your network perimeter.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-14T12:00:00Z","date_published":"2026-04-14T12:00:00Z","id":"/briefs/2026-04-totolink-a3002mu-bo/","summary":"A stack-based buffer overflow vulnerability (CVE-2026-6194) exists in the Totolink A3002MU B20211125.1046 router firmware, specifically affecting the `/boafrm/formWlanSetup` component's HTTP request handler, which allows remote attackers to execute arbitrary code by manipulating the `wan-url` argument.","title":"Totolink A3002MU Router Stack-Based Buffer Overflow Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-totolink-a3002mu-bo/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-6194","version":"https://jsonfeed.org/version/1.1"}