Description
ALGO 8180 IP Audio Alerter Web UI Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is required to exploit this vulnerability.

The specific flaw exists within the web-based user interface. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28322.
Published: 2026-01-23
Score: 8.8 High
EPSS: 1.5% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a command injection flaw in the web‑based user interface of the ALGO 8180 IP Audio Alerter. A remote attacker who can authenticate to the web UI can supply a specially crafted string that is passed directly to a system call without validation, allowing the attacker to execute arbitrary commands with the privileges of the device during exploitation. This is a CWE‑78 command injection vulnerability, enabling remote code execution.

Affected Systems

The flaw affects the ALGO 8180 IP Audio Alerter product line, specifically firmware version 5.5 as identified by the CPE data. Any installation of this hardware running that firmware and exposing the web UI is likely susceptible.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity, while the EPSS score of 1.5% (approximately) suggests a very low probability of exploitation. The vulnerability is not listed in CISA’s KEV catalogue. Because authentication is required, the risk is confined to users who have valid credentials to the web UI; however, successful exploitation would give the attacker the ability to run code on the entire device.

Generated by OpenCVE AI on June 18, 2026 at 14:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Obtain and install the latest firmware from ALGO if a security patch addressing this command injection exists.
  • If no patch is available, confine access to the web UI to a secure internal network, enforce multi‑factor authentication, and apply the principle of least privilege so that only essential users can log in.
  • Deploy monitoring of authentication attempts and system command execution logs, and review any exposed input parameters to apply custom input validation or escaping where feasible.

Generated by OpenCVE AI on June 18, 2026 at 14:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Feb 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Algosolutions
Algosolutions 8180 Ip Audio Alerter
Algosolutions 8180 Ip Audio Alerter Firmware
CPEs cpe:2.3:h:algosolutions:8180_ip_audio_alerter:-:*:*:*:*:*:*:*
cpe:2.3:o:algosolutions:8180_ip_audio_alerter_firmware:5.5:*:*:*:*:*:*:*
Vendors & Products Algosolutions
Algosolutions 8180 Ip Audio Alerter
Algosolutions 8180 Ip Audio Alerter Firmware
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}


Fri, 23 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Algo
Algo 8180 Ip Audio Alerter
Vendors & Products Algo
Algo 8180 Ip Audio Alerter

Fri, 23 Jan 2026 03:30:00 +0000

Type Values Removed Values Added
Description ALGO 8180 IP Audio Alerter Web UI Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is required to exploit this vulnerability. The specific flaw exists within the web-based user interface. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28322.
Title ALGO 8180 IP Audio Alerter Web UI Command Injection Remote Code Execution Vulnerability
Weaknesses CWE-78
References
Metrics cvssV3_0

{'score': 7.2, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Algo 8180 Ip Audio Alerter
Algosolutions 8180 Ip Audio Alerter 8180 Ip Audio Alerter Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: zdi

Published:

Updated: 2026-01-23T19:50:16.248Z

Reserved: 2026-01-08T22:56:05.042Z

Link: CVE-2026-0796

cve-icon Vulnrichment

Updated: 2026-01-23T19:50:07.338Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-23T04:16:07.523

Modified: 2026-06-17T10:11:23.940

Link: CVE-2026-0796

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T14:45:11Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')