Description
A security vulnerability has been detected in UGREEN CM933 1.1.59.4319. The impacted element is an unknown function of the component Administrative Interface. Such manipulation leads to missing authentication. The attack requires being on the local network. You should upgrade the affected component. The vendor replied: "We have successfully confirmed and reproduced the issue. We take this matter very seriously and have incorporated the fix into our development schedule. The issue is scheduled to be resolved in the release version coming in late April."
Published: 2026-05-09
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability manifests as a missing authentication requirement for an unknown function within the administrative interface of UGREEN CM933. Because authorization is not enforced, an attacker who connects to the device from the same local network can log in to the administrative console without credentials, giving them full control over the device’s configuration and potentially exposing sensitive information. The weakness is classified under CWE‑287 and CWE‑306, indicating broken authentication and missing authorization controls.

Affected Systems

UGREEN CM933 firmware version 1.1.59.4319 is affected. No other versions or products have been reported as vulnerable; the vendor confirms the issue only in this build.

Risk and Exploitability

The CVSS vector gives a score of 5.3, reflecting moderate severity due to the local‑network requirement. EPSS is not available, and the vulnerability is not listed in CISA’s KEV catalog, suggesting that it has not yet been widely exploited. Attackers would need physical or network proximity to the device, but once local access is achieved, they can gain unrestricted administrative privileges with no additional conditions.

Generated by OpenCVE AI on May 9, 2026 at 11:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the firmware update for CM933 once the vendor releases the fixed version scheduled for late April.
  • Limit the device’s administrative interface to trusted network segments or use firewall rules to prevent unauthorized local devices from reaching it.
  • Monitor the vendor’s advisory page or product support for patch availability and apply when the new firmware is distributed.

Generated by OpenCVE AI on May 9, 2026 at 11:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 09 May 2026 10:30:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in UGREEN CM933 1.1.59.4319. The impacted element is an unknown function of the component Administrative Interface. Such manipulation leads to missing authentication. The attack requires being on the local network. You should upgrade the affected component. The vendor replied: "We have successfully confirmed and reproduced the issue. We take this matter very seriously and have incorporated the fix into our development schedule. The issue is scheduled to be resolved in the release version coming in late April."
Title UGREEN CM933 Administrative missing authentication
Weaknesses CWE-287
CWE-306
References
Metrics cvssV2_0

{'score': 5.8, 'vector': 'AV:A/AC:L/Au:N/C:P/I:P/A:P/E:ND/RL:OF/RC:C'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-09T10:15:09.364Z

Reserved: 2026-05-08T19:40:30.733Z

Link: CVE-2026-8185

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-09T11:16:28.203

Modified: 2026-05-09T11:16:28.203

Link: CVE-2026-8185

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T11:30:25Z

Weaknesses