A critical (CVSS 9.8) unauthenticated remote stack-based buffer overflow in the Totolink N300RH router's Web Management Interface allows attackers to corrupt memory via a crafted KeyStr argument, with a public exploit already circulating.
What Is It
CVE-2026-10187 is a stack-based buffer overflow (CWE-119, CWE-121) in the setWiFiBasicConfig function inside wireless.so, reached through the Web Management Interface of the Totolink N300RH router. Manipulation of the KeyStr argument overflows a stack buffer, enabling remote code-execution-class memory corruption. The CVSS 3.1 vector is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, fully network-reachable, no authentication, no user interaction. CVSS 4.0 rates it 8.9 (HIGH) with exploit maturity flagged as PROOF_OF_CONCEPT, and CVSS 2.0 scores it a perfect 10.0. The NVD record was published 2026-05-31 and the exploit is described as public.
Why It Matters
The combination of unauthenticated network access, no user interaction, and a public proof-of-concept means any reachable management interface is a viable target for opportunistic exploitation. Successful exploitation impacts confidentiality, integrity, and availability; consistent with full device takeover of a consumer/SOHO router, which is a common pivot point into home and small-business networks. SOHO routers are repeatedly leveraged by botnets and state-aligned operators to build proxy and persistence infrastructure, so a public PoC of this class warrants prompt mitigation even absent KEV listing.
What's Vulnerable
- Product: Totolink N300RH
- Version identified in advisory: 6.1c.1353_B20190305
- Component: Web Management Interface
- Affected binary/function:
wireless.so→setWiFiBasicConfig - Vulnerable parameter:
KeyStr
The NVD entry does not enumerate additional CPEs beyond the firmware string above.
Patch Status
The supplied NVD record does not list a vendor patch, fixed version, or KEV entry confirming active in-the-wild exploitation. No CISA KEV data was provided for this CVE, and no required-action deadline applies. Until a vendor advisory or firmware update is published by Totolink, operators should restrict exposure of the Web Management Interface to the WAN, disable remote administration, and segment the device from sensitive networks. Monitor the vendor site and VulDB reference for fix availability.