CVE-2026-49201
CriticalCVSS 9.8Summary
The upload.cgi binary, responsible for processing device backups, contains a hardcoded AES encryption key. This allows an attacker to decrypt, modify, and re-encrypt system backups, facilitating persistent backdoor injection.
Risk Assessment
The organization is at risk of an attacker gaining persistent access to the system, potentially leading to data loss and security breaches.
Recommendation
It is recommended to remove the hardcoded encryption key and implement more secure key management practices in the backup process.
Original NVD description (English source)
The upload.cgi binary, responsible for processing device backups, contains a hardcoded AES encryption key. This allows an attacker to decrypt, modify, and re-encrypt system backups, facilitating persistent backdoor injection.

