The vulnerability is a classic stack‑based buffer overflow in the login functionality exposed through the cgi-bin/cstecgi.cgi endpoint of the Totolink EX1200L router. By sending a crafted request an attacker can cause the program to crash and gain arbitrary code execution. The remote execution privilege is that of the router’s root user, enabling full control over the device, including reading, modifying, and deleting configuration data or rendering the device inoperable. The high CVSS score of 9.4 reflects the severity and the potential for system‑wide compromise.

The flaw has been confirmed in firmware build 9.3.5u.6146_B20201023 of the Totolink EX1200L model. Vendor contact attempts were unsuccessful and no other firmware revisions have been verified, but the problem likely affects additional versions.

The CVSS base score of 9.4 highlights very high severity, while the EPSS score is unavailable, indicating the publicly known exploit likelihood is unknown but the risk remains high because the vulnerability can be triggered from any host that can reach the router’s web interface. The router’s management pages are normally exposed to the broader network or the Internet, so a remote attacker can send a malicious payload directly. Though the CVE is not yet listed in CISA’s KEV catalog, the absence of an official patch and the remote nature of the attack vector increase the urgency of remediation.