Description
A vulnerability was found in DCN DCME-320 up to 20260121. Impacted is the function apply_config of the file /function/system/basic/bridge_cfg.php of the component Web Management Backend. Performing a manipulation of the argument ip_list results in command injection. The attack is possible to be carried out remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-02-06
Score: 5.1 Medium
EPSS: 17.2% Moderate
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker to inject arbitrary shell commands by manipulating the ip_list argument in bridge_cfg.php. This is a command injection weakness identified as CWE-74 and CWE-77. This leads to remote execution of commands on the device, affecting confidentiality, integrity, and availability by giving an attacker full control over the network equipment.

Affected Systems

DCN DCME-320 devices running firmware versions up to 20260121 are affected. The flaw exists in the Web Management Backend component of the DCN DCME-320 product.

Risk and Exploitability

With a CVSS score of 5.1, the vulnerability is considered medium severity. An EPSS score of 17% indicates a relatively high probability of exploitation in the near term. The attack is performed remotely to the web management backend, specifically targeting the bridge_cfg.php endpoint and manipulating the ip_list argument. The exploit is publicly available, and the risk remains elevated even though the vulnerability is not listed in CISA's KEV catalog.

Generated by OpenCVE AI on July 17, 2026 at 03:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the device firmware to a version that contains the fix, and contact DCNetworks for remediation if no update is available.
  • Restrict remote access to the Web Management Backend by limiting allowed IP addresses or applying firewall rules to block unauthorised connections.
  • Implement strict input validation or whitelist enforcement for the ip_list parameter, ensuring that any user‑supplied data is sanitized before being used in system commands.

Generated by OpenCVE AI on July 17, 2026 at 03:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Feb 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Dcnetworks
Dcnetworks dcme-320
Dcnetworks dcme-320 Firmware
CPEs cpe:2.3:h:dcnetworks:dcme-320:-:*:*:*:*:*:*:*
cpe:2.3:o:dcnetworks:dcme-320_firmware:*:*:*:*:*:*:*:*
Vendors & Products Dcnetworks
Dcnetworks dcme-320
Dcnetworks dcme-320 Firmware

Thu, 12 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Dcn
Dcn dcme-320
Vendors & Products Dcn
Dcn dcme-320

Fri, 06 Feb 2026 07:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in DCN DCME-320 up to 20260121. Impacted is the function apply_config of the file /function/system/basic/bridge_cfg.php of the component Web Management Backend. Performing a manipulation of the argument ip_list results in command injection. The attack is possible to be carried out remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title DCN DCME-320 Web Management Backend bridge_cfg.php apply_config command injection
Weaknesses CWE-74
CWE-77
References
Metrics cvssV2_0

{'score': 5.8, 'vector': 'AV:N/AC:L/Au:M/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.7, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}


Subscriptions

Dcn Dcme-320
Dcnetworks Dcme-320 Dcme-320 Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T09:22:13.715Z

Reserved: 2026-02-05T17:18:39.350Z

Link: CVE-2026-2000

cve-icon Vulnrichment

Updated: 2026-02-12T15:08:11.945Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-06T07:16:13.053

Modified: 2026-06-17T10:29:58.983

Link: CVE-2026-2000

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-17T03:30:04Z

Weaknesses
  • CWE-74

    Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

  • CWE-77

    Improper Neutralization of Special Elements used in a Command ('Command Injection')