Description
Cudy LT300 3.0 running firmware prior to version 2.5.12 contains an OS command injection vulnerability that allows authenticated attackers to execute arbitrary commands by injecting shell metacharacters into the cbid.system.ntp.current POST parameter in the system time configuration interface. Attackers can submit malicious payloads through the NTP settings endpoint to achieve remote code execution on the underlying system.
Published: 2026-06-26
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability exists in Cudy LT300 3.0 firmware versions earlier than 2.5.12, where an authenticated attacker can inject shell metacharacters into the cbid.system.ntp.current POST parameter of the system time configuration interface. This permits the execution of arbitrary OS commands, effectively giving the attacker full control over the device’s operating system. The weakness is a classic OS command injection flaw (CWE‑78), providing attackers the ability to exfiltrate data, modify system settings, or use the device as a launch point for further attacks.

Affected Systems

The affected devices are LT300 3.0 units manufactured by Shenzhen Cudy Technology Co., Ltd. All firmware releases before version 2.5.12 are vulnerable; newer firmware has the mitigation applied. No additional vendor or product names are necessary beyond the mentioned model.

Risk and Exploitability

The CVSS score of 8.7 classifies this as a high‑severity flaw. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Given that the flaw requires authentication and only affects the NTP configuration interface, exploitation is plausible in environments where administrators or privileged users have network access to the device or where the web interface is exposed to untrusted networks.

Generated by OpenCVE AI on June 26, 2026 at 21:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the device firmware to version 2.5.12 or later to eliminate the command injection vulnerability.
  • Restrict network access to the NTP configuration interface, for example by placing the device in a separate VLAN or applying firewall rules to limit inbound connections to trusted management hosts.
  • Disable the NTP configuration feature if it is not required, or apply additional input validation to the cbid.system.ntp.current parameter to reject shell metacharacters.

Generated by OpenCVE AI on June 26, 2026 at 21:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
Description Cudy LT300 3.0 running firmware prior to version 2.5.12 contains an OS command injection vulnerability that allows authenticated attackers to execute arbitrary commands by injecting shell metacharacters into the cbid.system.ntp.current POST parameter in the system time configuration interface. Attackers can submit malicious payloads through the NTP settings endpoint to achieve remote code execution on the underlying system.
Title Cudy LT300 3.0 OS Command Injection via NTP Configuration
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-26T19:54:02.339Z

Reserved: 2026-03-16T18:11:41.757Z

Link: CVE-2026-32833

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T21:30:06Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')