CVE Catalog

CVE-2026-49201

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Summary

The upload.cgi binary, responsible for processing device backups, contains a hardcoded AES encryption key. This allows an attacker to decrypt, modify, and re-encrypt system backups, facilitating persistent backdoor injection.

Risk Assessment

The organization is at risk of an attacker gaining persistent access to the system, potentially leading to data loss and security breaches.

Recommendation

It is recommended to remove the hardcoded encryption key and implement more secure key management practices in the backup process.

Original NVD description (English source)

The upload.cgi binary, responsible for processing device backups, contains a hardcoded AES encryption key. This allows an attacker to decrypt, modify, and re-encrypt system backups, facilitating persistent backdoor injection.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS