Description
PrismX MX100 AP controller developed by BROWAN COMMUNICATIONS has an Arbitrary File Upload vulnerability, allowing privileged remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server.
Published: 2026-01-20
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote code execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability allows a remote attacker with privileged access to upload and execute arbitrary files on the PrismX MX100 AP controller. By uploading a web shell or other malicious payload, an attacker can run code on the device, potentially compromising the entire network that relies on that controller for management and configuration. This flaw is an arbitrary file upload weakness that elevates local or remote threats to full system compromise.

Affected Systems

BROWAN COMMUNICATIONS PrismX MX100 AP controller is affected when running firmware prior to version v1.03.23.01. No other versions or products were identified as impacted based on the current data.

Risk and Exploitability

The CVSS score of 8.6 indicates a high severity with wide scope and full privilege escalation potential. The EPSS score of less than 1% suggests that, as of the latest assessment, exploitation attempts are rare, but the presence of a documented web shell means that the vulnerability can be abused when an attacker gains the necessary privileges. The issue is not yet listed in the CISA Known Exploited Vulnerabilities catalog, so no active exploit campaigns are reported. The likely attack vector requires remote privileged access, potentially through maintenance interfaces or default credentials, which an attacker could leverage to upload malicious files that execute with system privileges.

Generated by OpenCVE AI on April 18, 2026 at 04:47 UTC.

Remediation

Vendor Solution

Update firmware to version v1.03.23.01 or later.

OpenCVE Recommended Actions

  • Update the PrismX MX100 firmware to version v1.03.23.01 or later, as released by BROWAN COMMUNICATIONS.
  • Review the device for any unauthorized web shells or injected files and remove them immediately.
  • Restrict or disable remote upload functionality and enforce strong authentication to prevent privileged access by unauthorized users.

Generated by OpenCVE AI on April 18, 2026 at 04:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 21 Jan 2026 11:30:00 +0000

Type Values Removed Values Added
First Time appeared Browan Communications
Browan Communications prismx Mx100 Ap Controller
Vendors & Products Browan Communications
Browan Communications prismx Mx100 Ap Controller

Tue, 20 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 20 Jan 2026 06:45:00 +0000

Type Values Removed Values Added
Description PrismX MX100 AP controller developed by BROWAN COMMUNICATIONS has an Arbitrary File Upload vulnerability, allowing privileged remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server.
Title BROWAN COMMUNICATIONS |PrismX MX100 AP controller - Arbitrary File Upload
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Browan Communications Prismx Mx100 Ap Controller
cve-icon MITRE

Status: PUBLISHED

Assigner: twcert

Published:

Updated: 2026-01-20T18:26:15.271Z

Reserved: 2026-01-20T05:44:56.458Z

Link: CVE-2026-1222

cve-icon Vulnrichment

Updated: 2026-01-20T18:25:36.164Z

cve-icon NVD

Status : Deferred

Published: 2026-01-20T07:15:50.290

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1222

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T05:00:06Z

Weaknesses