Description
A Command Injection vulnerability in the web management interface in Aver PTC320UV2 0.1.0000.65 allows an unauthenticated attacker to execute arbitrary commands via a crafted web request.
Published: 2026-05-01
Score: 6.5 Medium
EPSS: 8.5% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a command injection flaw in the Aver PTC320UV2 web management interface, firmware 0.1.0000.65. An unauthenticated attacker can send a crafted HTTP request that is interpreted as a shell command by the device, allowing the attacker to execute arbitrary commands with the privileges of the web service. This flaw can undermine the confidentiality, integrity, and availability of the device.

Affected Systems

Aver PTC320UV2 running firmware 0.1.0000.65. No additional vendor or product information is disclosed.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, yet the ability to run arbitrary commands constitutes a remote code execution scenario. The weakness can be exploited by an unauthenticated user over the network through the device’s web interface. The EPSS score is 9% and the vulnerability is not listed in the CISA KEV catalog. Given the exposure, organizations should treat this as a significant risk and employ mitigations promptly.

Generated by OpenCVE AI on May 7, 2026 at 14:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Download and install any firmware update from Aver that addresses the command injection flaw. (If available)
  • If an update is not available, restrict access to the web management interface to a trusted network segment or specific IP addresses.
  • Block external traffic to the web interface using firewall rules and monitor for suspicious HTTP requests.

Generated by OpenCVE AI on May 7, 2026 at 14:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Aver
Aver ptc320uv2
Vendors & Products Aver
Aver ptc320uv2

Mon, 04 May 2026 15:00:00 +0000

Type Values Removed Values Added
Title Unauthenticated Command Injection in Aver PTC320UV2 Web Interface

Sat, 02 May 2026 15:30:00 +0000

Type Values Removed Values Added
Title Command Injection in Aver PTC320UV2 Web Management Interface

Sat, 02 May 2026 11:00:00 +0000

Type Values Removed Values Added
Title Command Injection in Aver PTC320UV2 Web Management Interface

Fri, 01 May 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-77
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 01 May 2026 18:15:00 +0000

Type Values Removed Values Added
Description A Command Injection vulnerability in the web management interface in Aver PTC320UV2 0.1.0000.65 allows an unauthenticated attacker to execute arbitrary commands via a crafted web request.
References

Subscriptions

Aver Ptc320uv2
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-01T18:18:43.929Z

Reserved: 2026-02-16T00:00:00.000Z

Link: CVE-2026-26461

cve-icon Vulnrichment

Updated: 2026-05-01T18:18:38.020Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-01T18:16:14.307

Modified: 2026-05-07T15:15:06.770

Link: CVE-2026-26461

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T14:45:26Z

Weaknesses