Description
ALGO 8180 IP Audio Alerter Ping Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is required to exploit this vulnerability.

The specific flaw exists within the web-based user interface. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-25568.
Published: 2026-01-23
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

A command injection flaw in the web‐based management console of the ALGO 8180 IP Audio Alerter allows an authenticated user to insert unsanitized input into a system call. The vulnerability is classified as CWE‑77 and CWE‑78. Exploitation enables the attacker to run arbitrary commands with the privileges of the device, potentially compromising confidentiality, integrity, and availability of the audio alerting platform.

Affected Systems

All installations of ALGO Solutions’ 8180 IP Audio Alerter, including firmware 5.5 and later versions that contain the vulnerable web interface, are affected. Any device that hosts the management console can be targeted.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity. However, the EPSS score of less than 1% shows a very low probability of exploitation at present. Because the flaw requires authentication to access the vulnerable interface, an attacker must first compromise credentials or gain legitimate login access. The device runs commands in its own context, which provides full control over the radio hardware and software stack. Although exploitation is unlikely to be widespread, the impact of a successful attack is catastrophic, and the vulnerability is not yet listed in the CISA KEV catalog.

Generated by OpenCVE AI on April 18, 2026 at 03:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest firmware update from ALGO Solutions that patches the web interface command injection flaw.
  • Restrict management access by limiting the device’s web console to a trusted network segment and enforce multi‑factor authentication for administrative users.
  • Monitor system logs for anomalous command execution patterns and block any unauthorized export or manipulation of configuration data.

Generated by OpenCVE AI on April 18, 2026 at 03:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 18 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Algosolutions
Algosolutions 8180 Ip Audio Alerter
Algosolutions 8180 Ip Audio Alerter Firmware
Weaknesses CWE-77
CPEs cpe:2.3:h:algosolutions:8180_ip_audio_alerter:-:*:*:*:*:*:*:*
cpe:2.3:o:algosolutions:8180_ip_audio_alerter_firmware:5.5:*:*:*:*:*:*:*
Vendors & Products Algosolutions
Algosolutions 8180 Ip Audio Alerter
Algosolutions 8180 Ip Audio Alerter Firmware
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Fri, 23 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Algo
Algo 8180 Ip Audio Alerter
Vendors & Products Algo
Algo 8180 Ip Audio Alerter

Fri, 23 Jan 2026 03:30:00 +0000

Type Values Removed Values Added
Description ALGO 8180 IP Audio Alerter Ping Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is required to exploit this vulnerability. The specific flaw exists within the web-based user interface. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-25568.
Title ALGO 8180 IP Audio Alerter Ping Command Injection Remote Code Execution Vulnerability
Weaknesses CWE-78
References
Metrics cvssV3_0

{'score': 7.2, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Algo 8180 Ip Audio Alerter
Algosolutions 8180 Ip Audio Alerter 8180 Ip Audio Alerter Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: zdi

Published:

Updated: 2026-01-23T19:51:21.950Z

Reserved: 2026-01-08T22:55:00.661Z

Link: CVE-2026-0779

cve-icon Vulnrichment

Updated: 2026-01-23T19:51:17.101Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-23T04:16:05.210

Modified: 2026-02-18T19:04:41.763

Link: CVE-2026-0779

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T03:30:25Z

Weaknesses