Description
An issue in the firmware update mechanism of Qianniao QN-L23PA0904 v20250721.1640 allows attackers to gain root access, install backdoors, and exfiltrate data via supplying a crafted iu.sh script contained in an SD card.
Published: 2026-04-02
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Root Access
Action: Patch Now
AI Analysis

Impact

The flaw lies in the firmware update process of the Qianniao QN‑L23PA0904, where the system accepts a custom iu.sh script from an SD card without proper validation. This permits arbitrary execution with system root privileges, enabling the attacker to install backdoors and exfiltrate sensitive data. The weakness is a form of improper input validation and missing authentication, as reflected by CWE‑345 and CWE‑494.

Affected Systems

Qianniao QN‑L23PA0904 devices running firmware version v20250721.1640 are affected; no other vendors or models are listed.

Risk and Exploitability

The CVSS score of 6.8 indicates moderate severity. EPSS information is unavailable, and the vulnerability is not listed in the CISA KEV catalog, suggesting limited or no known commercial exploitation. The attack vector is local and requires physical insertion of an SD card containing a malicious iu.sh script; once executed, the attacker gains full root access, compromising confidentiality, integrity, and availability of the device.

Generated by OpenCVE AI on April 2, 2026 at 22:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the device to the latest official firmware from Qianniao, which resolves the update validation issue.
  • Verify the integrity of any SD card used for firmware updates and avoid using untrusted media.
  • Enforce script signing or integrity checks for all firmware update scripts before execution.
  • Monitor system logs for unexpected execution of iu.sh or similar scripts.
  • Implement network segmentation and device hardening to limit lateral movement after compromise.

Generated by OpenCVE AI on April 2, 2026 at 22:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Title Root Access via Crafted Firmware Update Script on Qianniao QN-L23PA0904
First Time appeared Qianniao
Qianniao qn-l23pa0904
Vendors & Products Qianniao
Qianniao qn-l23pa0904

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description An issue in the firmware update mechanism of Qianniao QN-L23PA0904 v20250721.1640 allows attackers to gain root access, install backdoors, and exfiltrate data via supplying a crafted iu.sh script contained in an SD card.
Weaknesses CWE-345
CWE-494
References
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Subscriptions

Qianniao Qn-l23pa0904
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-02T17:57:43.296Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-30603

cve-icon Vulnrichment

Updated: 2026-04-02T17:54:17.342Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-02T17:16:22.287

Modified: 2026-04-03T16:10:23.730

Link: CVE-2026-30603

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:19:00Z

Weaknesses