How is CVE-2026-10187 exploited?

Network reachability (required): The vulnerable setWiFiBasicConfig handler is exposed over the network through the web management interface, meaning an attacker must be able to reach the device's HTTP/HTTPS management port. Authentication (not-required): The CVSS vector specifies PR:N, meaning no account or session credential is needed to send the malicious KeyStr argument and trigger the overflow. Victim interaction (not-required): The CVSS vector specifies UI:N, so exploitation is fully attacker-driven and does not require any action from a user or administrator on the target device. Attack complexity (info): AC:L indicates the exploit is reliable and condition-free, requiring no race conditions, memory-layout guessing, or special environmental setup.

What is the impact of CVE-2026-10187?

Reads all data accessible to the compromised web management process, including stored Wi-Fi credentials, pre-shared keys, and administrative credentials. Modifies device configuration, enabling the attacker to change wireless settings, routing rules, or credentials to maintain persistence. Crashes the web management service or the broader device firmware, causing a denial-of-service for all users on the network segment served by the router. With code execution on the router, the attacker gains a foothold to pivot into the local network behind the device.

Back to search

CRITICALCVE-2026-10187Published 2026-05-31Modified 2026-05-31CNA VulDB

CVE-2026-10187: Totolink N300RH Web Management wireless.so setWiFiBasicConfig stack-based overflow

A vulnerability was detected in Totolink N300RH 6.1c.1353_B20190305. Affected by this issue is the function setWiFiBasicConfig of the file wireless.so of the component Web Management Interface. Performing a manipulation of the argument KeyStr results in stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit is now public and may be used.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A stack-based buffer overflow exists in the web management interface of the Totolink N300RH router (firmware 6.1c.1353_B20190305). The vulnerability is reachable over the network without any authentication, triggered by supplying an oversized value to the KeyStr argument of the setWiFiBasicConfig function in wireless.so. Successful exploitation gives an attacker full read/write access to the device and the ability to crash or take control of it. No vendor patch has been published; HarborGuard tracks the advisory and will make a patched rebuild available as soon as an upstream fix is released.

HarborGuard Coverage

Detection

Detection of CVE-2026-10187 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds including VulDB, NVD, and vendor advisories. Coverage extends to custom-built images that bundle Totolink firmware or derivative components alongside official base images.

Available

Triage

Triage capability is available using the CVSS v4.0 score of 9.3 (Critical), weighted against each customer organization's compliance policy to determine urgency and routing. Findings are routed to the appropriate team inbox within the customer org based on configured ownership and severity thresholds.

Available

Patch

Because no fix version has been published by Totolink, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. In the interim, customers with auto-remediation enabled receive compensating-control recommendations including network-policy isolation and egress filtering for management interfaces.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable setWiFiBasicConfig handler is exposed over the network through the web management interface, meaning an attacker must be able to reach the device's HTTP/HTTPS management port.
AuthenticationNot required
The CVSS vector specifies PR:N, meaning no account or session credential is needed to send the malicious KeyStr argument and trigger the overflow.
Victim interactionNot required
The CVSS vector specifies UI:N, so exploitation is fully attacker-driven and does not require any action from a user or administrator on the target device.
Attack complexityDetail
AC:L indicates the exploit is reliable and condition-free, requiring no race conditions, memory-layout guessing, or special environmental setup.

Blast Radius

Reads all data accessible to the compromised web management process, including stored Wi-Fi credentials, pre-shared keys, and administrative credentials.
Modifies device configuration, enabling the attacker to change wireless settings, routing rules, or credentials to maintain persistence.
Crashes the web management service or the broader device firmware, causing a denial-of-service for all users on the network segment served by the router.
With code execution on the router, the attacker gains a foothold to pivot into the local network behind the device.

How HarborGuard Handles This

Available on HarborGuard: the CVE is flagged at Critical (9.3) severity the moment it enters the ingest pipeline, and all customer images and firmware-bundling containers are checked for the affected Totolink N300RH component (6.1c.1353_B20190305). Because Totolink has not yet published a fix, no patched-image rebuild is available upstream; HarborGuard re-evaluates the advisory on every ingest cycle and will surface a rebuild automatically once a fix is released. While no patch exists, customers can apply compensating controls: use network policy to restrict access to the device management port to trusted management hosts only, enable egress filtering to prevent the device from initiating outbound connections if compromised, and consider disabling remote web management access where operationally feasible. Customers with auto-remediation enabled will receive a rebuild, regression-test run, and a PR opened against affected workloads as soon as an upstream fix version is available.

See how HarborGuard automates this

CVSS v4.0: 9.3
Severity: CRITICAL
Fixed in: —
Affected Products: 1

Affected packages

Totolink / N300RH
6.1c.1353_B20190305

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

References