Description
Cudy LT300 3.0 running firmware prior to version 2.5.12 contains an OS command injection vulnerability that allows authenticated attackers to execute arbitrary commands by injecting shell metacharacters into the cbid.system.ntp.current POST parameter in the system time configuration interface. Attackers can submit malicious payloads through the NTP settings endpoint to achieve remote code execution on the underlying system.
Published: 2026-06-26
Score: 8.7 High
EPSS: 1.3% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability exists in Cudy LT300 3.0 firmware versions earlier than 2.5.12, where an authenticated attacker can inject shell metacharacters into the cbid.system.ntp.current POST parameter of the system time configuration interface. This permits the execution of arbitrary OS commands, effectively giving the attacker full control over the device’s operating system. The weakness is a classic OS command injection flaw (CWE‑78), providing attackers the ability to exfiltrate data, modify system settings, or use the device as a launch point for further attacks.

Affected Systems

The affected devices are LT300 3.0 units manufactured by Shenzhen Cudy Technology Co., Ltd. All firmware releases before version 2.5.12 are vulnerable; newer firmware has the mitigation applied. No additional vendor or product names are necessary beyond the mentioned model.

Risk and Exploitability

The CVSS score of 8.7 classifies this as a high‑severity flaw. The EPSS score is 1%, indicating a low but non‑zero exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. Given that the flaw requires authentication and only affects the NTP configuration interface, exploitation remains plausible in environments where administrators or privileged users have network access to the device or where the web interface is exposed to untrusted networks.

Generated by OpenCVE AI on June 27, 2026 at 14:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the device firmware to version 2.5.12 or later to eliminate the command injection vulnerability.
  • Restrict network access to the NTP configuration interface, for example by placing the device in a separate VLAN or applying firewall rules to limit inbound connections to trusted management hosts.
  • Disable the NTP configuration feature if it is not required, or apply additional input validation to the cbid.system.ntp.current parameter to reject shell metacharacters.

Generated by OpenCVE AI on June 27, 2026 at 14:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Shenzhen Cudy Technology
Shenzhen Cudy Technology lt300 3.0
Vendors & Products Shenzhen Cudy Technology
Shenzhen Cudy Technology lt300 3.0

Mon, 29 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Fri, 26 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
Description Cudy LT300 3.0 running firmware prior to version 2.5.12 contains an OS command injection vulnerability that allows authenticated attackers to execute arbitrary commands by injecting shell metacharacters into the cbid.system.ntp.current POST parameter in the system time configuration interface. Attackers can submit malicious payloads through the NTP settings endpoint to achieve remote code execution on the underlying system.
Title Cudy LT300 3.0 OS Command Injection via NTP Configuration
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}


Subscriptions

Shenzhen Cudy Technology Lt300 3.0
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-29T13:21:57.919Z

Reserved: 2026-03-16T18:11:41.757Z

Link: CVE-2026-32833

cve-icon Vulnrichment

Updated: 2026-06-29T13:21:54.385Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T20:06:09Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')