Description
ALGO 8180 IP Audio Alerter Web UI Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is required to exploit this vulnerability.

The specific flaw exists within the web-based user interface. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28293.
Published: 2026-01-23
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

A command injection flaw exists in the web‑based user interface of the ALGO 8180 IP Audio Alerter. Because the device does not validate a user‑supplied string before executing it as a system call, a logged‑in attacker can run arbitrary code with the privileges of the device. The vulnerability enables compromise of confidentiality, integrity, and availability of the entire device and any network services it provides. Authentication is required, so only accounts with valid credentials can exploit the flaw, but such credentials are typically available to administrators and other trusted users.

Affected Systems

The affected product is the ALGO 8180 IP Audio Alerter. Firmware versions noted in the CPE entries include the 5.5 release of the device's firmware.

Risk and Exploitability

With a CVSS score of 8.8, the flaw is high severity. The EPSS score is reported as less than 1%, indicating that actual exploitation is currently unlikely, yet the vulnerability is still officially documented and not listed in the CISA KEV catalog. Exploitation requires authenticated access to the web UI, so the attack vector is likely internal or from a compromised credential. Once exploited, an attacker can achieve full device control and potentially spread further into the network.

Generated by OpenCVE AI on April 18, 2026 at 15:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware update or patch released by AlgoSolutions for the 8180 IP Audio Alerter that addresses the command injection flaw.
  • Restrict access to the device's web interface to a secure, internal network or VPN and disable remote access where possible.
  • Enforce strong authentication methods, including multi‑factor authentication, to prevent unauthorized users from acquiring the necessary credentials.

Generated by OpenCVE AI on April 18, 2026 at 15:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Feb 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Algosolutions
Algosolutions 8180 Ip Audio Alerter
Algosolutions 8180 Ip Audio Alerter Firmware
CPEs cpe:2.3:h:algosolutions:8180_ip_audio_alerter:-:*:*:*:*:*:*:*
cpe:2.3:o:algosolutions:8180_ip_audio_alerter_firmware:5.5:*:*:*:*:*:*:*
Vendors & Products Algosolutions
Algosolutions 8180 Ip Audio Alerter
Algosolutions 8180 Ip Audio Alerter Firmware
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Fri, 23 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Algo
Algo 8180 Ip Audio Alerter
Vendors & Products Algo
Algo 8180 Ip Audio Alerter

Fri, 23 Jan 2026 03:30:00 +0000

Type Values Removed Values Added
Description ALGO 8180 IP Audio Alerter Web UI Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is required to exploit this vulnerability. The specific flaw exists within the web-based user interface. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28293.
Title ALGO 8180 IP Audio Alerter Web UI Command Injection Remote Code Execution Vulnerability
Weaknesses CWE-78
References
Metrics cvssV3_0

{'score': 7.2, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Algo 8180 Ip Audio Alerter
Algosolutions 8180 Ip Audio Alerter 8180 Ip Audio Alerter Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: zdi

Published:

Updated: 2026-01-23T19:45:28.183Z

Reserved: 2026-01-08T22:55:19.124Z

Link: CVE-2026-0784

cve-icon Vulnrichment

Updated: 2026-01-23T19:45:23.721Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-23T04:16:05.907

Modified: 2026-02-13T20:44:11.763

Link: CVE-2026-0784

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T15:30:03Z

Weaknesses