eastbaycyber

CVE-2026-10187: TOTOLINK N300RH Web Management Buffer Overflow

CVE explainers 10 min read
SR
Security Research Desk Expert reviewed
Threat intelligence · Human-verified · Updated 2026-05-31
▲ Escalation ViewOne CVE, briefed at three altitudes — skim the Brief, weigh the Impact, or work the Runbook. The way a SOC actually reads it.
CISOBrief · 30-second brief
Field Value
CVE ID CVE-2026-10187
CVSS score 9.8 (Critical)
Attack vector Remote
Auth required Unknown from primary scoring data; defenders should assume unauthenticated risk until vendor/NVD clarifies
Patch status No vendor-confirmed fix mapping found; newer firmware exists, but remediation for this CVE is not confirmed

TL;DR - Critical remote stack-based buffer overflow in TOTOLINK N300RH web management. - Confirmed affected firmware: 6.1c.1353_B20190305; public exploit is reported by NVD. - No confirmed in-the-wild abuse yet, but internet-exposed admin interfaces should be treated as urgent risk.

What happened and why it matters

CVE-2026-10187 is a critical vulnerability in the TOTOLINK N300RH router’s web management interface. According to the NVD description, the flaw exists in the setWiFiBasicConfig function of wireless.so, where manipulation of the KeyStr argument can trigger a stack-based buffer overflow. NVD also states that the attack can be carried out remotely and that “the exploit is now public and may be used.”

For practitioners, the important point is not just that this is memory corruption, but that it affects a router management surface. That matters because SMBs and home-office environments often leave embedded device administration reachable from trusted internal segments, and in some cases from the internet. A critical remote overflow in a web admin component can create a path to full device compromise, configuration tampering, traffic interception, botnet enrollment, or persistence on a network edge device.

The confirmed affected firmware version is 6.1c.1353_B20190305 on the TOTOLINK N300RH. Based on the available primary-source material, that is the only version that can be stated with confidence. There is not yet an accessible vendor advisory, release note, or patch bulletin that broadens the affected range or explicitly names a fixed version. In practice, defenders should avoid assuming safety for adjacent builds until the vendor says otherwise.

AnalystImpact · assess the risk

Affected versions and fixed version status

The only confirmed affected version in the available record is:

  • Product: TOTOLINK N300RH
  • Affected firmware version: 6.1c.1353_B20190305

That narrow statement is important because many CVE summaries online overgeneralize impact across an entire product family. Here, the evidence available from NVD names one specific build. If you run that exact firmware, you should treat the device as vulnerable. If you run a different N300RH build, you should not claim immunity based on absence of proof; instead, verify the exact version and check vendor resources for newer firmware for your hardware revision.

A fixed version is not confirmed from primary source at the time of writing. Official TOTOLINK support resources do show newer firmware entries for the N300RH product line, including:

  • N300RH-V3_Firmware V3.2.4-B20190426
  • N300RH-V3_Firmware V3.2.4-B20190807
  • N300RH V3_Firmware V3.2.4-B20201030

However, accessible source material does not explicitly state that any of those builds remediate CVE-2026-10187. That means defenders should phrase patch status carefully: newer firmware is available, but a vendor-confirmed fixed version number is unknown. In the absence of confirmation, the safest operational stance is to move to the latest supported firmware for the exact hardware revision while also reducing exposure through access controls.

Exploitation status: public exploit vs. in-the-wild use

The strongest confirmed exploitation statement comes from NVD itself: “The exploit is now public and may be used.” That means defenders should treat this issue as having crossed the threshold from theoretical risk to weaponizable risk. Public exploit availability often shortens the time between disclosure and opportunistic scanning, especially for edge devices with HTTP-based management planes.

At the same time, confirmed exploitation in the wild is not established from the sources provided. This CVE is not listed in CISA’s Known Exploited Vulnerabilities catalog as of 2026-05-31, and no primary-source evidence in the research note confirms active attacks. Those two facts should prevent overstatement. The right phrasing is:

  • Public exploit / PoC: Yes, according to NVD wording
  • Confirmed in-the-wild exploitation: Not confirmed
  • On CISA KEV: No

For defenders, “not confirmed in the wild” should not be interpreted as low urgency. Router vulnerabilities often become mass-scanned quickly, and embedded web interfaces rarely have strong logging, EDR, or easy forensic visibility. When evidence is incomplete, assume exploitation is possible now and prioritize exposure reduction.

Risk assessment for defenders

This CVE deserves high priority because it combines four bad properties: a critical severity score, remote reachability, memory corruption, and stated public exploit availability. On an edge device, those factors create outsized risk compared with a typical internal application flaw. A compromised router can alter traffic, weaken segmentation, tamper with DNS, and provide a durable foothold that endpoint tools may never see.

The main uncertainty is patch status, not impact. We know the affected firmware version, the vulnerable component, the parameter involved, and that NVD describes public exploit availability. What we do not know from accessible vendor documentation is the precise fixed version or whether additional builds are affected. In the absence of that data, defenders should assume exposure remains meaningful until they either upgrade to the latest available supported firmware or replace the device.

ResponderRunbook · act now

How to identify exposure in your environment

Start with asset inventory. Many organizations do not centrally track branch-office routers or SMB network appliances with the same rigor as servers and endpoints. If TOTOLINK gear exists in retail sites, small offices, labs, partner networks, or unmanaged remote locations, this CVE should trigger an immediate check of model and firmware.

If you have direct administrative access to the device, verify the model and firmware version in the web UI or any status page that shows build information. The key value to look for is 6.1c.1353_B20190305. If you manage devices remotely, also determine whether the web management interface is exposed to the public internet, reachable from guest VLANs, or accessible from flat internal user networks.

You should also validate whether remote administration is enabled and whether device management occurs over HTTP rather than HTTPS. Even if the vulnerable build is only internally reachable, compromise from a workstation on the same network segment could still provide a path to router takeover. For branch deployments, confirm whether port forwarding, UPnP-created rules, or ISP-side remote administration features unintentionally expose the interface.

Technical Notes: exposure validation

The exact TOTOLINK UI path can vary by hardware revision and firmware, but defenders can still use practical checks to identify likely exposure.

# Find HTTP/HTTPS services on likely gateway IPs
for ip in 192.168.0.1 192.168.1.1 192.168.100.1; do
  nmap -Pn -p 80,443 $ip
done
# Capture HTTP headers or login page markers from the router
curl -I http://192.168.0.1/
curl -sk https://192.168.0.1/
# From an external validation host, test whether management is internet-exposed
nmap -Pn -p 80,443 <public-ip-of-site>

If you cannot confirm firmware remotely, assume any N300RH still running legacy firmware is high risk until checked locally. Because vendor fix mapping is unclear, do not rely on version naming alone without validating the exact hardware revision and support page entry.

Detection and monitoring guidance

Detection is difficult for consumer and SMB routers because logs are often sparse and may not retain detailed request traces. Still, defenders can look for signs of probing or exploitation attempts against the management interface, especially requests related to Wi-Fi configuration changes, unusual POST requests to CGI-like handlers, or repeated long parameter values aimed at the device’s admin endpoints.

Because the NVD description names setWiFiBasicConfig and the attacker-controlled argument KeyStr, you should specifically look for HTTP requests targeting Wi-Fi configuration actions that include abnormally long KeyStr values. If you use a reverse proxy, upstream firewall, IDS, or packet capture around branch connectivity, that network-layer visibility may be more reliable than the router’s own logs.

Another useful signal is unplanned device instability. Stack-based buffer overflows in embedded admin components often cause process crashes, watchdog restarts, or full reboots before reliable code execution is achieved. Unexpected router restarts, sudden admin lockouts, changed wireless settings, or unexplained DNS/network behavior should be investigated as possible compromise indicators.

Technical Notes: detection ideas

Example log pattern to watch for in HTTP logs or network telemetry:

POST /... HTTP/1.1
Host: <router-ip>
Content-Type: application/x-www-form-urlencoded

...KeyStr=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...

Suricata-style rule concept for oversized KeyStr in HTTP client body:

alert http $EXTERNAL_NET any -> $HOME_NET any (
  msg:"Possible CVE-2026-10187 exploitation attempt - oversized KeyStr";
  flow:to_server,established;
  http.method; content:"POST";
  http.request_body; content:"KeyStr=";
  pcre:"/KeyStr=[A-Za-z0-9%]{128,}/Pi";
  classtype:web-application-attack;
  sid:2026101871;
  rev:1;
)

Example Splunk search if you log HTTP requests from a proxy, WAF, or sensor in front of admin interfaces:

index=network_http (dest_ip=<router_ip> OR url_host=<router_host>)
("KeyStr=" AND method=POST)
| eval keystr_len=len(replace(_raw, ".*KeyStr=([^& ]+).*", "\1"))
| where keystr_len > 128
| table _time src_ip dest_ip uri method status keystr_len

These detections are heuristic, not guaranteed signatures. If you do not have HTTP visibility for the router, monitor for secondary indicators: reboot events, configuration drift, failed admin login anomalies, and changes to DNS, NAT, or wireless settings.

Mitigation and patching

Because a vendor-confirmed fixed version is not available from the accessible primary sources, mitigation has to combine firmware hygiene with exposure reduction. The first priority is to identify any TOTOLINK N300RH running the specifically named vulnerable firmware 6.1c.1353_B20190305. Those devices should be treated as urgent remediation targets.

The second priority is to update to the latest firmware available for the exact hardware revision from the official TOTOLINK support site. This is the most practical remediation path available, even though explicit CVE remediation language is not currently confirmed. Be careful with hardware revision matching: applying the wrong image to embedded devices can brick them or leave them unstable.

Where immediate upgrade is not possible, disable remote administration, restrict management access to a dedicated admin host or management VLAN, and block inbound internet access to ports 80/443 on the router. If the device is old, unsupported, or internet-exposed in a way you cannot safely control, replacement should be part of the mitigation plan. For SMBs, replacing end-of-life edge routers is often a lower-risk option than relying on uncertain patch status.

Technical Notes: specific upgrade and workaround steps

Use official TOTOLINK support resources to obtain the latest firmware for the exact N300RH revision. Since TOTOLINK firmware updates are commonly applied through the web UI rather than package managers, the practical “upgrade command” is a sequence of administrative actions plus network controls.

Example operational workflow:

# 1) Back up the current configuration if the UI allows it.
# 2) Download the newest firmware for the exact hardware revision from:
#    https://www.totolink.net/home/news/me_name/id/39/menu_listtpl/DownloadC.html
# 3) Upload the firmware in the router web UI.
# 4) Reboot and verify the reported firmware build.

Immediate workaround controls at the network edge:

# Block remote internet access to router web admin on a perimeter firewall
iptables -A INPUT -p tcp --dport 80 -s 0.0.0.0/0 -j DROP
iptables -A INPUT -p tcp --dport 443 -s 0.0.0.0/0 -j DROP

If you manage an upstream firewall rather than the router itself, restrict access to the router admin IP so only a jump host or management subnet can reach it:

# Example: allow only management subnet to access router web admin
iptables -A FORWARD -p tcp -s 10.10.50.0/24 -d 192.168.0.1 --dport 80 -j ACCEPT
iptables -A FORWARD -p tcp -s 10.10.50.0/24 -d 192.168.0.1 --dport 443 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.0.1 --dport 80 -j DROP
iptables -A FORWARD -p tcp -d 192.168.0.1 --dport 443 -j DROP

If your environment does not support these exact commands, apply the same policy using your firewall platform: no internet exposure, admin access only from a trusted management segment, and remove unnecessary HTTP access entirely.

References

For further information on digital forensics, check out our guide on how to do digital forensics on Linux and learn about key management services.

This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.

Last verified: 2026-05-31

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.