CVE-2026-32833

Cudy LT300 3.0 OS Command Injection via NTP Configuration

CVSS 8.7 HIGHEPSS 1.3%CWE-78

Vexday Risk Score

21Bajo

Decisión SSVC (CISA)

Track

Sin señal de explotación → monitorear

CVSS 8.7EPSS 1.3%KEV nãoPoC —Nuclei —Metasploit —Patch referenciado

Ciclo de vida

26 jun 2026Publicada en NVD

Recomendación: Monitorear — sin señal de explotación por ahora.

Cudy LT300 3.0 running firmware prior to version 2.5.12 contains an OS command injection vulnerability that allows authenticated attackers to execute arbitrary commands by injecting shell metacharacters into the cbid.system.ntp.current POST parameter in the system time configuration interface. Attackers can submit malicious payloads through the NTP settings endpoint to achieve remote code execution on the underlying system.

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Productos afectados

Shenzhen Cudy Technology Co., Ltd. · LT300 3.0

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://www.cudy.com/en-us/pages/download-center/lt300-3-0 https://www.vulncheck.com/advisories/cudy-lt300-os-command-injection-via-ntp-configuration