CVE Catalog

CVE-2026-32833

HighCVSS 8.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Elevated risk
1.34%

68th percentile — higher than 68% of all known CVEs

Summary

Cudy LT300 running firmware prior to version 2.5.12 contains an OS command injection vulnerability. An authenticated attacker can inject shell metacharacters into the cbid.system.ntp.current POST parameter in the system time configuration interface, leading to remote code execution.

Risk Assessment

The risk is that an authenticated attacker can gain full control over the device, potentially compromising network integrity, stealing data, or using the device as a pivot for further attacks.

Recommendation

Immediately update the Cudy LT300 firmware to version 2.5.12 or later. If updating is not possible, restrict management interface access to trusted IP addresses only.

Original NVD description (English source)

Cudy LT300 3.0 running firmware prior to version 2.5.12 contains an OS command injection vulnerability that allows authenticated attackers to execute arbitrary commands by injecting shell metacharacters into the cbid.system.ntp.current POST parameter in the system time configuration interface. Attackers can submit malicious payloads through the NTP settings endpoint to achieve remote code execution on the underlying system.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS