Description
OS Command Injection vulnerability exists in multiple Network Cameras TRIFORA 3 series provided by TOA Corporation, which may allow a logged-in user with the low("monitoring user") or higher privilege to execute an arbitrary OS command.
Published: 2026-01-16
Score: 8.7 High
EPSS: 1.5% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an OS command injection flaw in TOA Corporation’s TRIFORA 3 series network cameras. It allows an authenticated user with monitoring or higher privileges to inject and run arbitrary operating‑system commands, providing full control over the device’s firmware. This is classified as CWE‑78. Based on the description, it is inferred that the attacker can alter the camera's behavior or exfiltrate data, although the exact extent is not detailed in the CVE.

Affected Systems

The affected equipment is the TRIFORA 3 series network cameras from TOA Corporation. No specific firmware versions are listed, so any camera running the vulnerable firmware should be considered at risk until an updated image is applied.

Risk and Exploitability

The CVSS score of 8.7 places the vulnerability in the high‑risk category, and the EPSS score of 2% indicates a low but nonzero probability of exploitation. The vulnerability is not listed in CISA KEV. The likely attack vector requires an attacker to authenticate to the camera’s administrative interface as a monitoring or higher privilege user, then send crafted input to trigger the command injection. Based on the description, it is inferred that successful exploitation results in arbitrary code execution on the device, potentially enabling lateral movement or data exfiltration.

Generated by OpenCVE AI on June 16, 2026 at 14:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the camera firmware to a patched version as released by TOA Corporation.
  • If a patch is not yet available, restrict access to the camera’s management interface to trusted IP addresses or dedicated VLANs and enforce strong account controls, including disabling unnecessary monitoring accounts and encouraging complex passwords.
  • Monitor the camera’s logs for abnormal command‑execution events to detect possible exploitation attempts.

Generated by OpenCVE AI on June 16, 2026 at 14:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Title Command Injection in TOA TRIFORA 3 Series Network Cameras Enabling Remote Code Execution

Sat, 18 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Title Command Injection in TOA TRIFORA 3 Series Network Cameras Enabling Remote Code Execution

Fri, 16 Jan 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Toa Corporation
Toa Corporation trifora 3 Series
Vendors & Products Toa Corporation
Toa Corporation trifora 3 Series
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 16 Jan 2026 08:30:00 +0000

Type Values Removed Values Added
Description OS Command Injection vulnerability exists in multiple Network Cameras TRIFORA 3 series provided by TOA Corporation, which may allow a logged-in user with the low("monitoring user") or higher privilege to execute an arbitrary OS command.
Weaknesses CWE-78
References
Metrics cvssV3_0

{'score': 8.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Toa Corporation Trifora 3 Series
cve-icon MITRE

Status: PUBLISHED

Assigner: jpcert

Published:

Updated: 2026-01-16T13:45:56.900Z

Reserved: 2026-01-14T04:14:37.678Z

Link: CVE-2026-20759

cve-icon Vulnrichment

Updated: 2026-01-16T13:45:51.364Z

cve-icon NVD

Status : Deferred

Published: 2026-01-16T09:16:22.050

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-20759

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-16T15:00:07Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')