Description
OS Command Injection vulnerability exists in multiple Network Cameras TRIFORA 3 series provided by TOA Corporation, which may allow a logged-in user with the low("monitoring user") or higher privilege to execute an arbitrary OS command.
Published: 2026-01-16
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Apply Patch
AI Analysis

Impact

An OS command injection flaw exists in TOA Corporation’s TRIFORA 3 series network cameras. The vulnerability allows an authenticated user with monitoring or higher privileges to inject and run arbitrary operating‑system commands, granting full control over the device’s firmware. This is classified as CWE‑78, indicating improper input validation in a command execution path.

Affected Systems

The affected equipment is the TRIFORA 3 series network cameras made by TOA Corporation. No specific firmware versions are listed, so any camera that is running the vulnerable firmware should be considered at risk until an updated image is applied.

Risk and Exploitability

The CVSS score of 8.7 places the issue in the high‑risk category, and the EPSS score of less than 1% shows that exploitation probability is presently low. The vulnerability is not included in CISA KEV. An attacker must first authenticate to the camera’s administrative interface, then send crafted input to trigger the command injection. Successful exploitation results in arbitrary code execution on the device, potentially enabling lateral movement or data exfiltration.

Generated by OpenCVE AI on April 18, 2026 at 16:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the camera firmware to a patched version that resolves the command‑injection issue, following the vendor’s release notes.
  • If no patch is available, isolate the camera by restricting access to its management interface to trusted IP addresses or dedicated VLANs.
  • Enforce strict user‑account management: disable or remove monitoring accounts that are not required, and enforce strong passwords.
  • Enable and monitor activity logs for abnormal command‑execution events to detect possible exploitation attempts.

Generated by OpenCVE AI on April 18, 2026 at 16:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Title Command Injection in TOA TRIFORA 3 Series Network Cameras Enabling Remote Code Execution

Fri, 16 Jan 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Toa Corporation
Toa Corporation trifora 3 Series
Vendors & Products Toa Corporation
Toa Corporation trifora 3 Series
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 16 Jan 2026 08:30:00 +0000

Type Values Removed Values Added
Description OS Command Injection vulnerability exists in multiple Network Cameras TRIFORA 3 series provided by TOA Corporation, which may allow a logged-in user with the low("monitoring user") or higher privilege to execute an arbitrary OS command.
Weaknesses CWE-78
References
Metrics cvssV3_0

{'score': 8.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Toa Corporation Trifora 3 Series
cve-icon MITRE

Status: PUBLISHED

Assigner: jpcert

Published:

Updated: 2026-01-16T13:45:56.900Z

Reserved: 2026-01-14T04:14:37.678Z

Link: CVE-2026-20759

cve-icon Vulnrichment

Updated: 2026-01-16T13:45:51.364Z

cve-icon NVD

Status : Deferred

Published: 2026-01-16T09:16:22.050

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-20759

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T16:15:04Z

Weaknesses