Totolink X5000R Buffer Overflow (CVE-2026-8137) Exposed
A critical buffer overflow vulnerability, identified as CVE-2026-8137, has been discovered in Totolink X5000R routers running firmware version 9.1.0u.6369_B20230113. According to the National Vulnerability Database, this flaw resides in the sub_458E40 function within the /boafrm/formDdns file. Attackers can trigger the overflow by manipulating the submit-url argument, leading to remote code execution.
The National Vulnerability Database rates CVE-2026-8137 with a CVSSv3.1 score of 8.8 (High severity), underscoring the significant risk. The vulnerability’s vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) indicates it can be exploited remotely with low privileges and no user interaction, granting high impact to confidentiality, integrity, and availability. Public disclosure of the exploit means this isn’t theoretical – it’s actively weaponizable.
This isn’t just about Totolink; it’s a reminder of the inherent risks in consumer-grade network infrastructure. Routers are prime targets, often overlooked, yet they sit at the network edge, controlling access. An exposed router is a direct gateway into the internal network, making this a high-value target for any attacker looking for initial access.
What This Means For You
- If your organization or its remote workers utilize Totolink X5000R routers, specifically model 9.1.0u.6369_B20230113, you need to assess your exposure immediately. This vulnerability (CVE-2026-8137) is remotely exploitable with public exploits available. Prioritize isolating or replacing affected devices, as patching may not be an immediate option given the vendor's track record with older models. Assume compromise if these devices are internet-facing.
Related ATT&CK Techniques
🛡️ Detection Rules
2 rules · 6 SIEM formats2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-8137 Totolink X5000R DDNS Buffer Overflow
title: CVE-2026-8137 Totolink X5000R DDNS Buffer Overflow
id: scw-2026-05-08-ai-1
status: experimental
level: critical
description: |
Detects attempts to exploit the CVE-2026-8137 vulnerability in Totolink X5000R devices. The exploit targets the formDdns functionality by manipulating the 'submit-url' parameter to trigger a buffer overflow in the sub_458E40 function. This rule specifically looks for requests to '/boafrm/formDdns' containing the 'submit-url=' parameter, indicating a potential exploit attempt.
author: SCW Feed Engine (AI-generated)
date: 2026-05-08
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-8137/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/boafrm/formDdns'
cs-uri-query|contains:
- 'submit-url='
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-8137 | Buffer Overflow | Totolink X5000R version 9.1.0u.6369_B20230113 |
| CVE-2026-8137 | Buffer Overflow | Vulnerable function: sub_458E40 in /boafrm/formDdns |
| CVE-2026-8137 | Buffer Overflow | Vulnerable argument: submit-url |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 08, 2026 at 08:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
Tenda CX12L Stack Buffer Overflow (CVE-2026-8138) Risks Remote Exploitation
CVE-2026-8138 — A vulnerability was found in Tenda CX12L 16.03.53.12. This issue affects the function formSetPPTPServer of the file /goform/SetPptpServerCfg”. The manipulation results in stack-based...
CVE-2026-42279 — solidtime is an open-source time-tracking app. In version
CVE-2026-42279 — solidtime is an open-source time-tracking app. In version 0.12.0, the PUT /api/v1/organizations/{organization}/time-entries/{timeEntry} API accepts a route-bound timeEntry from another organization when the caller...
CVE-2026-42277 — Onyx is an open-source AI platform. Prior to versions
CVE-2026-42277 — Onyx is an open-source AI platform. Prior to versions 3.0.9, 3.1.6, and 3.2.6, the GET /chat/file/{file_id} endpoint allows any authenticated user to download...