Description
ALGO 8180 IP Audio Alerter Web UI Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is required to exploit this vulnerability.

The specific flaw exists within the web-based user interface. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28292.
Published: 2026-01-23
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Assess Impact
AI Analysis

Impact

This vulnerability in the ALGO 8180 IP Audio Alerter Web UI allows a remote attacker to inject and execute arbitrary operating system commands. The flaw arises from insufficient validation of user‑supplied strings before they are passed to a system call. Leveraging this weakness, a privileged attacker can run code with the same permissions as the device’s internal processes, potentially compromising confidentiality, integrity, and availability of the system and any connected resources.

Affected Systems

The affected system is the ALGO 8180 IP Audio Alerter, specifically firmware version 5.5 and any earlier builds that contain the same web interface defect. Devices deployed with this firmware should be considered vulnerable.

Risk and Exploitability

The CVSS score of 8.8 classifies this flaw as high severity, while the EPSS score of less than 1% indicates a very low but nonzero likelihood of exploitation in the wild. The vulnerability requires authentication, meaning an attacker must first gain access to a user account or have network visibility to the management interface. No current listing in the CISA KEV catalog suggests no known active exploitation, yet the remote code execution potential warrants immediate attention.

Generated by OpenCVE AI on April 18, 2026 at 03:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the device firmware to the latest revision that contains the patch for the web UI command injection flaw.
  • If an immediate firmware update is not available, isolate the Web UI by restricting its access to trusted internal networks only or block the port with firewall rules.
  • Disable the Web UI feature if it is not required for operational purposes and modify device configuration to limit exposed management capabilities.

Generated by OpenCVE AI on April 18, 2026 at 03:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Feb 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Algosolutions
Algosolutions 8180 Ip Audio Alerter
Algosolutions 8180 Ip Audio Alerter Firmware
CPEs cpe:2.3:h:algosolutions:8180_ip_audio_alerter:-:*:*:*:*:*:*:*
cpe:2.3:o:algosolutions:8180_ip_audio_alerter_firmware:5.5:*:*:*:*:*:*:*
Vendors & Products Algosolutions
Algosolutions 8180 Ip Audio Alerter
Algosolutions 8180 Ip Audio Alerter Firmware
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Fri, 23 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Algo
Algo 8180 Ip Audio Alerter
Vendors & Products Algo
Algo 8180 Ip Audio Alerter

Fri, 23 Jan 2026 03:30:00 +0000

Type Values Removed Values Added
Description ALGO 8180 IP Audio Alerter Web UI Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is required to exploit this vulnerability. The specific flaw exists within the web-based user interface. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28292.
Title ALGO 8180 IP Audio Alerter Web UI Command Injection Remote Code Execution Vulnerability
Weaknesses CWE-78
References
Metrics cvssV3_0

{'score': 7.2, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Algo 8180 Ip Audio Alerter
Algosolutions 8180 Ip Audio Alerter 8180 Ip Audio Alerter Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: zdi

Published:

Updated: 2026-01-23T19:44:17.844Z

Reserved: 2026-01-08T22:55:15.124Z

Link: CVE-2026-0783

cve-icon Vulnrichment

Updated: 2026-01-23T19:44:11.353Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-23T04:16:05.770

Modified: 2026-02-13T20:44:20.457

Link: CVE-2026-0783

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T03:30:25Z

Weaknesses