How is CVE-2026-44089 exploited?

Network reachability (info): The attacker must be on the same adjacent network segment (LAN, Wi-Fi, or VPN) as the router; remote internet-based exploitation is not possible without prior network access. Authentication (not-required): The vulnerability exists in the pre-authentication login handler, so no credentials or account of any privilege level are needed. Victim interaction (not-required): Exploitation is fully attacker-driven; no user action such as clicking a link or opening a file is required. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no race conditions, special memory layout, or environmental setup beyond network adjacency.

What is the impact of CVE-2026-44089?

Attacker executes arbitrary code as root on the router, gaining full control of the device. All data stored or transiting the router (credentials, session tokens, network traffic) is readable by the attacker. Attacker can modify router configuration, redirect or intercept network traffic, and alter persisted settings. Attacker can permanently brick the router by overwriting firmware or critical flash storage, causing irreversible denial of service.

Back to search

CRITICALCVE-2026-44089Published 2026-06-23Modified 2026-06-23CNA CERT-PL

CVE-2026-44089: Buffer Overflow in Totolink EX1200L router

Totolink EX1200L router is vulnerable to Buffer Overflow in the login functionality in cgi-bin/cstecgi.cgi endpoint. This vulnerability could be exploited to cause the program to crash and to execute code remotely. This allows the attacker to perform actions as root including reading and editing data, as well as bricking the router. Because vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 9.3.5u.6146_B20201023 but may also affect other versions.

CVSS v4.0: 9.4
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A stack-based buffer overflow in the Totolink EX1200L router's login handler (cgi-bin/cstecgi.cgi) allows an unauthenticated attacker on the same network segment to overflow a buffer in the login functionality. No credentials are required, and exploitation gives the attacker full root-level code execution on the device. Successful exploitation enables reading and modifying all stored data, crashing the router, or permanently bricking the device. No fix has been published by the vendor; HarborGuard tracks this advisory and will make a patched rebuild available the moment an upstream fix is released.

HarborGuard Coverage

Detection

Detection of CVE-2026-44089 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle or derive from affected Totolink firmware layers. Any image scan touching the affected version (9.3.5u.6146_B20201023) surfaces this finding automatically.

Available

Triage

HarborGuard scores this finding at CVSS 9.4 Critical and weights it against each environment's compliance policy to determine urgency and routing. The finding is directed to the appropriate team inbox within each customer organization based on configured ownership and severity thresholds.

Available

Patch

No fix version has been published by the vendor, so no patched-image rebuild is currently available. HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream vendor ships a fix; for customers with auto-remediation enabled, this triggers a rebuild, regression run, and a PR opened against affected workloads without manual intervention.

Pending upstream

Exploit Conditions

Network reachabilityDetail
The attacker must be on the same adjacent network segment (LAN, Wi-Fi, or VPN) as the router; remote internet-based exploitation is not possible without prior network access.
AuthenticationNot required
The vulnerability exists in the pre-authentication login handler, so no credentials or account of any privilege level are needed.
Victim interactionNot required
Exploitation is fully attacker-driven; no user action such as clicking a link or opening a file is required.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no race conditions, special memory layout, or environmental setup beyond network adjacency.

Blast Radius

Attacker executes arbitrary code as root on the router, gaining full control of the device.
All data stored or transiting the router (credentials, session tokens, network traffic) is readable by the attacker.
Attacker can modify router configuration, redirect or intercept network traffic, and alter persisted settings.
Attacker can permanently brick the router by overwriting firmware or critical flash storage, causing irreversible denial of service.

How HarborGuard Handles This

Available on HarborGuard: because no vendor patch exists for CVE-2026-44089, patched-image rebuild is not yet possible, but the advisory is re-checked on every ingest cycle so a rebuild will be made available automatically the moment the upstream fix is published. In the interim, customers can apply compensating controls through HarborGuard policy: network-policy isolation rules can be configured to restrict which hosts have layer-2 adjacency to affected devices, reducing the pool of potential attackers. Egress filtering and VLAN segmentation recommendations are surfaced as policy annotations on any flagged image. For customers with auto-remediation enabled, the rebuild-plus-regression-plus-PR flow will trigger without manual steps as soon as a fix version is confirmed upstream.

See how HarborGuard automates this

Affected packages

Totolink / EX1200L
9.3.5u.6146_B20201023

CVSS Vector

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

References

Metrics

Get notified