Description
ALGO 8180 IP Audio Alerter API Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is required to exploit this vulnerability.

The specific flaw exists within the API interface. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28294.
Published: 2026-01-23
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

ALGO 8180 IP Audio Alerter devices are vulnerable to a command injection flaw in the API interface. The vulnerability arises because the device does not properly validate user‑supplied strings that are passed to a system call, allowing an attacker to execute arbitrary code in the context of the device. Because the flaw can be exploited remotely and only requires authentication, a compromised device can become a foothold for further lateral movement, data exfiltration, or denial of service against the network it services.

Affected Systems

The affected product is the ALGO 8180 IP Audio Alerter. The vulnerability is present in firmware versions identified by the CPE as 5.5 and potentially earlier releases. All installations that expose the device’s API to authenticated users are at risk.

Risk and Exploitability

The CVSS base score of 8.8 indicates a high severity. The EPSS score is below 1%, suggesting a low probability of exploitation at the current time, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires remote, authenticated access to the API, making the attack vector likely local to the network segment that can reach the device’s management interface. If the API is exposed to the broader internet, the risk increases. The lack of input validation (CWE‑78) means that any authenticated request containing a crafted string can trigger a system call, leading to complete device compromise.

Generated by OpenCVE AI on April 18, 2026 at 03:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware patch released by ALGO that fixes the API command injection flaw.
  • If a patch is not yet available, block or disable the device’s API interface at the network perimeter and restrict access to trusted IP addresses only, ensuring that only authenticated users can reach it.
  • Implement or verify strict input validation for all API parameters, ensuring that user‑supplied data cannot be interpreted as executable commands before passing it to system calls.

Generated by OpenCVE AI on April 18, 2026 at 03:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 18 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Algosolutions
Algosolutions 8180 Ip Audio Alerter
Algosolutions 8180 Ip Audio Alerter Firmware
CPEs cpe:2.3:h:algosolutions:8180_ip_audio_alerter:-:*:*:*:*:*:*:*
cpe:2.3:o:algosolutions:8180_ip_audio_alerter_firmware:5.5:*:*:*:*:*:*:*
Vendors & Products Algosolutions
Algosolutions 8180 Ip Audio Alerter
Algosolutions 8180 Ip Audio Alerter Firmware
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Fri, 23 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Algo
Algo 8180 Ip Audio Alerter
Vendors & Products Algo
Algo 8180 Ip Audio Alerter

Fri, 23 Jan 2026 03:30:00 +0000

Type Values Removed Values Added
Description ALGO 8180 IP Audio Alerter API Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is required to exploit this vulnerability. The specific flaw exists within the API interface. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28294.
Title ALGO 8180 IP Audio Alerter API Command Injection Remote Code Execution Vulnerability
Weaknesses CWE-78
References
Metrics cvssV3_0

{'score': 7.5, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Algo 8180 Ip Audio Alerter
Algosolutions 8180 Ip Audio Alerter 8180 Ip Audio Alerter Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: zdi

Published:

Updated: 2026-01-23T19:46:05.395Z

Reserved: 2026-01-08T22:55:22.897Z

Link: CVE-2026-0785

cve-icon Vulnrichment

Updated: 2026-01-23T19:45:59.159Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-23T04:16:06.047

Modified: 2026-02-18T19:04:28.167

Link: CVE-2026-0785

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T03:30:25Z

Weaknesses