Description
ALGO 8180 IP Audio Alerter Web UI Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is required to exploit this vulnerability.

The specific flaw exists within the web-based user interface. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28291.
Published: 2026-01-23
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch Now
AI Analysis

Impact

The vulnerability is a command injection flaw in the web‑based user interface of the ALGO 8180 IP Audio Alerter. Improper validation of a user‑supplied string allows an attacker to execute arbitrary system commands in the context of the device, resulting in full device compromise. This aligns with CWE‑78, which describes the misuse of operating system facilities to execute unintended operations.

Affected Systems

Known affected devices are ALGO 8180 IP Audio Alerter units, particularly firmware version 5.5. The product is identified by the manufacturer ALGO Solutions. Any installation of this hardware that exposes the web UI and relies on the vulnerable firmware is at risk.

Risk and Exploitability

The CVSS score of 8.8 classifies the flaw as high severity. The EPSS score indicates a very low probability of exploitation (<1%), which reflects limited observed activity. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires remote access to the web UI and valid authenticated credentials, suggesting that attackers with legitimate credentials or those who can bypass authentication can leverage the flaw.

Generated by OpenCVE AI on April 18, 2026 at 15:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware update that addresses the command injection flaw, typically firmware version 5.6 or later.
  • Limit access to the device’s web UI by network segmentation or firewall rules, allowing only trusted IP addresses or internal networks to reach it.
  • Enforce strong authentication policies, such as changing default credentials, using complex passwords, and enabling two‑factor authentication if supported.

Generated by OpenCVE AI on April 18, 2026 at 15:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Feb 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Algosolutions
Algosolutions 8180 Ip Audio Alerter
Algosolutions 8180 Ip Audio Alerter Firmware
CPEs cpe:2.3:h:algosolutions:8180_ip_audio_alerter:-:*:*:*:*:*:*:*
cpe:2.3:o:algosolutions:8180_ip_audio_alerter_firmware:5.5:*:*:*:*:*:*:*
Vendors & Products Algosolutions
Algosolutions 8180 Ip Audio Alerter
Algosolutions 8180 Ip Audio Alerter Firmware
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Fri, 23 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Algo
Algo 8180 Ip Audio Alerter
Vendors & Products Algo
Algo 8180 Ip Audio Alerter

Fri, 23 Jan 2026 03:30:00 +0000

Type Values Removed Values Added
Description ALGO 8180 IP Audio Alerter Web UI Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is required to exploit this vulnerability. The specific flaw exists within the web-based user interface. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28291.
Title ALGO 8180 IP Audio Alerter Web UI Command Injection Remote Code Execution Vulnerability
Weaknesses CWE-78
References
Metrics cvssV3_0

{'score': 7.2, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Algo 8180 Ip Audio Alerter
Algosolutions 8180 Ip Audio Alerter 8180 Ip Audio Alerter Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: zdi

Published:

Updated: 2026-01-23T19:43:35.240Z

Reserved: 2026-01-08T22:55:11.665Z

Link: CVE-2026-0782

cve-icon Vulnrichment

Updated: 2026-01-23T19:43:29.270Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-23T04:16:05.637

Modified: 2026-02-13T20:59:25.903

Link: CVE-2026-0782

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T15:30:03Z

Weaknesses