CVE-2026-7546: Critical Stack Buffer Overflow in Totolink NR1800X
The National Vulnerability Database (NVD) has disclosed CVE-2026-7546, a critical stack-based buffer overflow vulnerability affecting the Totolink NR1800X router, specifically version 9.1.0u.6279_B20210910. The flaw resides within the find_host_ip function of the lighttpd component, where manipulating the Host argument can trigger the overflow. This is a severe issue, carrying a CVSSv3.1 score of 9.8, indicating maximum criticality.
This vulnerability is remotely exploitable, meaning attackers don’t need local network access to trigger it. The public disclosure of exploit details significantly escalates the risk, transforming this from a theoretical concern into an immediate threat for unpatched devices. Attackers can leverage this to achieve arbitrary code execution, potentially leading to full device compromise, network pivot points, or denial of service.
For defenders, this is a clear call to action. Router vulnerabilities are gold for attackers, providing persistent access at the network edge. Given the remote exploitability and public disclosure, assume active exploitation is underway or imminent. Prioritize patching or isolating these devices immediately.
What This Means For You
- If your organization uses Totolink NR1800X routers, particularly version 9.1.0u.6279_B20210910, you are at critical risk. This is a remotely exploitable flaw with public exploit details. Immediately identify all instances of this device within your network and apply any available patches. If no patch exists, isolate these devices or replace them until a fix is deployed to prevent potential network compromise.
Related ATT&CK Techniques
🛡️ Detection Rules
2 rules · 6 SIEM formats2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-7546: Totolink NR1800X lighttpd Host Header Stack Buffer Overflow
title: CVE-2026-7546: Totolink NR1800X lighttpd Host Header Stack Buffer Overflow
id: scw-2026-05-01-ai-1
status: experimental
level: critical
description: |
Detects the specific stack buffer overflow vulnerability in Totolink NR1800X's lighttpd component by looking for requests targeting the root path with a 'Host=' parameter in the query string, which is indicative of the exploit for CVE-2026-7546. The vulnerability is triggered by manipulating the 'Host' argument, leading to a stack-based buffer overflow.
author: SCW Feed Engine (AI-generated)
date: 2026-05-01
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-7546/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/'
cs-method|exact:
- 'GET'
cs-uri-query|contains:
- 'Host='
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-7546 | Buffer Overflow | Totolink NR1800X version 9.1.0u.6279_B20210910 |
| CVE-2026-7546 | Buffer Overflow | Vulnerable component: lighttpd |
| CVE-2026-7546 | Buffer Overflow | Vulnerable function: find_host_ip |
| CVE-2026-7546 | Buffer Overflow | Manipulation of argument: Host |
| CVE-2026-7546 | Buffer Overflow | Attack type: stack-based buffer overflow |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 01, 2026 at 06:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
Totolink NR1800X Command Injection (CVE-2026-7548) Publicly Exploitable
CVE-2026-7548 — A vulnerability was detected in Totolink NR1800X 9.1.0u.6279_B20210910. This affects the function sub_41A68C of the file /cgi-bin/cstecgi.cgi. Performing a manipulation of the argument...
CVE-2026-7545: SourceCodester School Management SQLi Exposes Data
CVE-2026-7545 — A weakness has been identified in SourceCodester Advanced School Management System 1.0. The affected element is an unknown function of the file commonController.php...
Totolink A8000RU Critical OS Command Injection (CVE-2026-7538)
CVE-2026-7538 — A vulnerability was identified in Totolink A8000RU 7.1cu.643_b20200521. This issue affects the function Vulnerability of the file /cgi-bin/cstecgi.cgi of the component CGI Handler....