Description
ALGO 8180 IP Audio Alerter SCI Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is required to exploit this vulnerability.

The specific flaw exists within the SCI module. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28295.
Published: 2026-01-23
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The flaw allows a remote attacker to inject an operating system command through the SCI module, enabling execution of arbitrary code on the device. The vulnerability arises because user‑supplied strings are passed directly to a system call without validation. Because the attacker must authenticate, the exposure is limited to users with valid credentials, but the resulting code execution grants the attacker the same privileges as the device process.

Affected Systems

ALGO Solutions’ 8180 IP Audio Alerter devices, including firmware version 5.5, are affected by the command injection flaw.

Risk and Exploitability

With a CVSS score of 8.8, the vulnerability is deemed high severity. The EPSS score of <1% indicates that exploitation is currently considered unlikely, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be remote over the network because authentication is required to send the malicious command. Attackers would need valid device credentials to trigger the flaw, but once authenticated they could control the device’s operating system and potentially elevate their damage.

Generated by OpenCVE AI on April 18, 2026 at 18:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware update released by ALGO that addresses the SCI command injection flaw.
  • If a patch is not yet available, disable the SCI module or restrict its network accessibility to trusted hosts only.
  • Ensure the device uses strong, unique credentials and consider changing or disabling default passwords to reduce the likelihood of an authenticated attacker.

Generated by OpenCVE AI on April 18, 2026 at 18:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 18 Feb 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Algosolutions
Algosolutions 8180 Ip Audio Alerter
Algosolutions 8180 Ip Audio Alerter Firmware
CPEs cpe:2.3:h:algosolutions:8180_ip_audio_alerter:-:*:*:*:*:*:*:*
cpe:2.3:o:algosolutions:8180_ip_audio_alerter_firmware:5.5:*:*:*:*:*:*:*
Vendors & Products Algosolutions
Algosolutions 8180 Ip Audio Alerter
Algosolutions 8180 Ip Audio Alerter Firmware
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Fri, 23 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Algo
Algo 8180 Ip Audio Alerter
Vendors & Products Algo
Algo 8180 Ip Audio Alerter

Fri, 23 Jan 2026 03:30:00 +0000

Type Values Removed Values Added
Description ALGO 8180 IP Audio Alerter SCI Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is required to exploit this vulnerability. The specific flaw exists within the SCI module. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28295.
Title ALGO 8180 IP Audio Alerter SCI Command Injection Remote Code Execution Vulnerability
Weaknesses CWE-78
References
Metrics cvssV3_0

{'score': 7.5, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Algo 8180 Ip Audio Alerter
Algosolutions 8180 Ip Audio Alerter 8180 Ip Audio Alerter Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: zdi

Published:

Updated: 2026-01-23T19:46:44.147Z

Reserved: 2026-01-08T22:55:25.980Z

Link: CVE-2026-0786

cve-icon Vulnrichment

Updated: 2026-01-23T19:46:39.251Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-23T04:16:06.180

Modified: 2026-02-18T16:46:34.750

Link: CVE-2026-0786

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T19:00:08Z

Weaknesses