CVE-2026-30603
MediumCVSS 6.8Exploitation Probability (EPSS)
Low risk2th percentile - higher than 2% of all known CVEs
Summary
A vulnerability in the firmware update mechanism of Qianniao QN-L23PA0904 v20250721.1640 allows attackers to gain root access, install backdoors, and exfiltrate data by supplying a crafted iu.sh script contained on an SD card.
Risk Assessment
The organization is at risk of complete device compromise, leading to data confidentiality, integrity, and availability breaches, as well as potential lateral movement within the internal network.
Recommendation
Immediately disable the execution of scripts from SD cards during the update process and enforce digital signing of firmware updates.
Original NVD description (English source)
An issue in the firmware update mechanism of Qianniao QN-L23PA0904 v20250721.1640 allows attackers to gain root access, install backdoors, and exfiltrate data via supplying a crafted iu.sh script contained in an SD card.

