Description
thingino-firmware versions up to the firmware-2026-03-16 release contains an unauthenticated os command injection vulnerability in the WiFi captive portal CGI script that allows remote attackers to execute arbitrary commands as root by injecting malicious code through unsanitized HTTP parameter names. Attackers can exploit the eval function in parse_query() and parse_post() functions to achieve remote code execution and perform privileged configuration changes including root password reset and SSH authorized_keys modification, resulting in full persistent device compromise.
Published: 2026-03-26
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

thingino-firmware versions up to firmware-2026-03-16 contain an unauthenticated OS command injection flaw in the WiFi captive‑portal CGI script. The vulnerability arises because suspicious HTTP parameter names are passed directly to the eval function in parse_query() and parse_post(). An attacker can inject arbitrary shell commands that are executed with root privileges, enabling full device compromise, password resets, and modification of authorized_keys.

Affected Systems

The affected systems are devices running themactep:thingino‑firmware, specifically any firmware build up to and including firmware-2026-03-16.

Risk and Exploitability

With a CVSS score of 8.7 the vulnerability presents a high severity. The exploitation requires only unauthenticated HTTP access to the captive‑portal endpoint, making it easily targetable over the wireless network. Although EPSS data is unavailable and the flaw is not in the CISA KEV list, the combination of local network exposure and root‑level execution makes this a serious threat if left unpatched.

Generated by OpenCVE AI on March 26, 2026 at 20:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the most recent firmware release from themactep that removes the vulnerable code.
  • Verify that the captive‑portal CGI endpoint no longer accepts unsanitized query parameters or that the injection no longer succeeds.
  • If an update cannot be applied immediately, limit or block network traffic to the captive‑portal endpoint and monitor for suspicious activity.
  • Keep device firmware current by regularly checking the vendor website for further updates or security advisories.

Generated by OpenCVE AI on March 26, 2026 at 20:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Themactep
Themactep thingino-firmware
Vendors & Products Themactep
Themactep thingino-firmware

Thu, 26 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Description thingino-firmware versions up to the firmware-2026-03-16 release contains an unauthenticated os command injection vulnerability in the WiFi captive portal CGI script that allows remote attackers to execute arbitrary commands as root by injecting malicious code through unsanitized HTTP parameter names. Attackers can exploit the eval function in parse_query() and parse_post() functions to achieve remote code execution and perform privileged configuration changes including root password reset and SSH authorized_keys modification, resulting in full persistent device compromise.
Title thingino-firmware api.cgi Unauthenticated Command Injection in Captive Portal
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Themactep Thingino-firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-26T19:21:33.135Z

Reserved: 2026-02-11T20:08:07.943Z

Link: CVE-2026-26213

cve-icon Vulnrichment

Updated: 2026-03-26T19:21:28.345Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-26T19:16:38.787

Modified: 2026-03-30T13:26:50.827

Link: CVE-2026-26213

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:25:38Z

Weaknesses