Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionCVE.org
A vulnerability was detected in code-projects for Plugin 4.1.2cu.5137. The impacted element is the function setWiFiMultipleConfig in the library /lib/cste_modules/wireless.so of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument wepkey2 results in buffer overflow. The attack can be launched remotely. The exploit is now public and may be used.
AnalysisAI
Buffer overflow in TOTOLINK A800R router firmware 4.1.2cu.5137 enables authenticated remote attackers to achieve arbitrary code execution with high privileges. The vulnerability exists in the setWiFiMultipleConfig function of the wireless configuration module (wireless.so) within the cstecgi.cgi web interface, exploitable via malformed wepkey2 parameter. Public proof-of-concept exploit code is available on GitHub. EPSS data not provided, CISA KEV status not listed, indicating exploitation is demonstrated but not yet observed in widespread campaigns.
Technical ContextAI
This is a classic stack-based buffer overflow (CWE-120) in embedded router firmware. The vulnerable component is the wireless.so shared library loaded by the cstecgi.cgi CGI handler, which processes WiFi configuration requests on TOTOLINK A800R routers. The setWiFiMultipleConfig function fails to validate the length of the wepkey2 parameter before copying it into a fixed-size stack buffer. When processing WEP key configuration through the web management interface, an attacker-controlled WEP key value exceeding buffer boundaries overwrites adjacent stack memory. In embedded Linux devices like this router, successful exploitation typically allows control of the instruction pointer, enabling arbitrary code execution in the context of the web server process (often running as root or with elevated privileges on SOHO routers). The CPE string identifies this as code-projects For Plugin, but cross-referencing the GitHub POC confirms this actually affects TOTOLINK A800R router hardware running firmware version 4.1.2cu.5137.
RemediationAI
No vendor-released patch identified at time of analysis - TOTOLINK vendor advisory not found in provided references. Immediate compensating controls: (1) Disable remote management access to the router's web interface, restricting access to local network only (eliminates remote attack vector but allows LAN-based exploitation). (2) Change default administrative credentials to strong unique passwords exceeding 16 characters (raises bar for PR:L requirement but does not eliminate vulnerability). (3) Implement network segmentation placing the router's management interface on isolated VLAN accessible only from dedicated admin workstations (reduces exposure but adds network complexity). (4) Monitor for unusual authentication attempts or configuration changes in router logs (detection only, does not prevent exploitation). (5) If business requirements permit, replace affected TOTOLINK A800R devices with alternative router models from vendors with established security update programs (most effective but requires hardware investment). Check TOTOLINK's support portal at https://www.totolink.net/ for firmware updates released after this analysis. The GitHub POC (https://github.com/xyh4ck/iot_poc/blob/main/TOTOLINK/A800R/02_Buffer_Overflow_setWiFiMultipleConfig.md) provides technical details useful for validating patch effectiveness when released.
Same weakness CWE-120 – Classic Buffer Overflow
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26450