Description
A command injection vulnerability exists in the /cgi-bin/tools/ajax_cmd endpoint of Panabit PAP-XM320 up to and including v7.7. The CGI component allows authenticated users to execute arbitrary shell commands with root privileges via the action=runcmd parameter.
Published: 2026-05-19
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A command injection flaw exists in the /cgi-bin/tools/ajax_cmd endpoint of Panabit PAP-XM320 firmware versions up to 7.7. The vulnerability allows an authenticated user to supply an action=runcmd parameter that is executed with root privileges. This flaw enables arbitrary shell command execution, thereby compromising the entire device, allowing the attacker to exfiltrate data, modify configuration, disable services, or further pivot into the network. The weakness is a classic OS Command Injection (CWE‑78).

Affected Systems

Panabit PAP‑XM320 devices running firmware version 7.7 and earlier are affected. Newer firmware releases beyond v7.7 are not known to be impacted.

Risk and Exploitability

The exploit requires valid user credentials, so an attacker must first authenticate. Once authenticated, the command injection can be performed remotely if the device is reachable over the network, making the attack vector network‑based. Although EPSS is not available and the vulnerability is not listed in the CISA KEV catalog, the root‑level impact and straightforward exploitation path imply a high risk scenario. No public patch or workaround is currently provided, meaning the only defense is to migrate to a fixed firmware version or manually block the vulnerable endpoint.

Generated by OpenCVE AI on May 19, 2026 at 17:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the device firmware to a version newer than v7.7 that removes the /cgi-bin/tools/ajax_cmd endpoint or fixes the injection flaw.
  • Restrict external network access to the PAP‑XM320 by limiting interfaces to trusted IP ranges, applying firewall rules, or placing the device behind a VPN.
  • Enforce strict authentication policies and eliminate or reduce privileged accounts to prevent accidental or malicious exploitation of the vulnerable endpoint.

Generated by OpenCVE AI on May 19, 2026 at 17:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 19 May 2026 17:45:00 +0000

Type Values Removed Values Added
Title Command Injection in Panabit PAP‑XM320 /cgi-bin/tools/ajax_cmd Enables Root Command Execution
Weaknesses CWE-78

Tue, 19 May 2026 16:45:00 +0000

Type Values Removed Values Added
Description A command injection vulnerability exists in the /cgi-bin/tools/ajax_cmd endpoint of Panabit PAP-XM320 up to and including v7.7. The CGI component allows authenticated users to execute arbitrary shell commands with root privileges via the action=runcmd parameter.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-19T16:25:09.252Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-36828

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-19T17:16:22.080

Modified: 2026-05-19T17:16:22.080

Link: CVE-2026-36828

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T17:30:10Z

Weaknesses