CVE-2026-32833
published 2026-06-26CVE-2026-32833: Cudy LT300 3.0 running firmware prior to version 2.5.12 contains an OS command injection vulnerability that allows authenticated attackers to execute arbitrary…
PriorityP270high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
1.34%
67.8th percentile
Cudy LT300 3.0 running firmware prior to version 2.5.12 contains an OS command injection vulnerability that allows authenticated attackers to execute arbitrary commands by injecting shell metacharacters into the cbid.system.ntp.current POST parameter in the system time configuration interface. Attackers can submit malicious payloads through the NTP settings endpoint to achieve remote code execution on the underlying system.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| shenzhen_cudy_technology_co_ltd | lt300_3.0 | < 2.5.12 | 2.5.12 |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Cudy LT300 3.0 running firmware prior to version 2.5.12 contains an OS command injection vulnerability that allows authenticated attackers to execute arbitrary commands by injecting shell metacharacte
ghsa_unreviewed·2026-06-26
CVE-2026-32833 [HIGH] CWE-78 Cudy LT300 3.0 running firmware prior to version 2.5.12 contains an OS command injection vulnerability that allows authenticated attackers to execute arbitrary commands by injecting shell metacharacte
Cudy LT300 3.0 running firmware prior to version 2.5.12 contains an OS command injection vulnerability that allows authenticated attackers to execute arbitrary commands by injecting shell metacharacters into the cbid.system.ntp.current POST parameter in the system time configuration interface. Attackers can submit malicious payloads through the NTP settings endpoint to achieve remote code execution on the underlying system.
VulDB
Shenzhen Cudy LT300 3.0 up to 2.5.11 System Time Configuration Interface cbid.system.ntp.current os command injection
vuldb·2026-06-26·CVSS 8.8
CVE-2026-32833 [HIGH] Shenzhen Cudy LT300 3.0 up to 2.5.11 System Time Configuration Interface cbid.system.ntp.current os command injection
A vulnerability classified as critical was found in Shenzhen Cudy LT300 3.0 up to 2.5.11. The affected element is an unknown function of the component System Time Configuration Interface. Such manipulation of the argument cbid.system.ntp.current leads to os command injection.
This vulnerability is uniquely identified as CVE-2026-32833. The attack can be launched remotely. No exploit exists.
Upgrading the affected component is advised.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-26
Published