CVE-2026-32833

Cudy LT300 3.0 OS Command Injection via NTP Configuration

CVSS 8.7 HIGHEPSS 1.3%CWE-78

Vexday Risk Score

21Baixo

Decisão SSVC (CISA)

Track

Sem sinal de exploração → monitorar

CVSS 8.7EPSS 1.3%KEV nãoPoC —Nuclei —Metasploit —Patch referenciado

Ciclo de vida

26 jun 2026Publicada no NVD

Recomendação: Monitorar — sem sinal de exploração no momento.

Cudy LT300 3.0 running firmware prior to version 2.5.12 contains an OS command injection vulnerability that allows authenticated attackers to execute arbitrary commands by injecting shell metacharacters into the cbid.system.ntp.current POST parameter in the system time configuration interface. Attackers can submit malicious payloads through the NTP settings endpoint to achieve remote code execution on the underlying system.

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Produtos afetados

Shenzhen Cudy Technology Co., Ltd. · LT300 3.0

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências

https://www.cudy.com/en-us/pages/download-center/lt300-3-0 https://www.vulncheck.com/advisories/cudy-lt300-os-command-injection-via-ntp-configuration