CVE-2025-26856
CVE-2025-26856
In short
A flaw in UD-LT2 firmware allows an admin user to execute arbitrary system commands by manipulating certain screen requests. An attacker with admin access could run unauthorized commands on the device.
Technical detail
OS command injection vulnerability in UD-LT2 firmware (Ver. 1.00.008_SE and earlier) allows authenticated administrators to execute arbitrary OS commands through improper neutralization of special elements in screen operation requests. Attack vector requires valid administrative credentials and manipulation of specific input parameters.
Summary generated and translated by AI from the official description.
Improper neutralization of special elements used in an OS command ('OS Command Injection') issue exists in UD-LT2 firmware Ver.1.00.008_SE and earlier. If an attacker logs in to the affected product with an administrative account and manipulates requests for a certain screen operation, an arbitrary OS command may be executed. This vulnerability was reported on a different screen operation from CVE-2025-20617.
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Affected products
I-O DATA DEVICE, INC. · UD-LT2Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →