CVE-2026-2533
Unknown Unknown - Not Provided
Remote Command Injection in Tosei Washing Machine CGI Script

Publication date: 2026-02-16

Last updated on: 2026-04-29

Assigner: VulDB

Description
A flaw has been found in Tosei Self-service Washing Machine 4.02. Impacted is an unknown function of the file /cgi-bin/tosei_datasend.php. Executing a manipulation of the argument adr_txt_1 can lead to command injection. It is possible to launch the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-16
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-02-16
EPSS Evaluated
2026-06-14
NVD
CVE-2026-2533
EUVD
EUVD-2026-6128
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
tosei tosei_self-service_washing_machine 4.02
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking for the presence of the vulnerable script `/cgi-bin/tosei_datasend.php` on the Tosei Self-service Washing Machine version 4.02. Attackers can locate vulnerable targets using Google dorking with the query `inurl:cgi-bin/tosei_datasend.php`.'}, {'type': 'paragraph', 'content': 'To detect exploitation attempts or test for the vulnerability, you can try sending crafted HTTP requests targeting the `adr_txt_1` parameter to see if command injection is possible. For example, using curl to send a test payload:'}, {'type': 'list_item', 'content': 'curl -G "http://[target]/cgi-bin/tosei_datasend.php" --data-urlencode "adr_txt_1=;id"'}, {'type': 'paragraph', 'content': 'If the response contains output from the injected command (e.g., the output of `id`), the system is vulnerable.'}] [1]

Executive Summary

CVE-2026-2533 is a command injection vulnerability found in the Tosei Self-service Washing Machine version 4.02, specifically in the file /cgi-bin/tosei_datasend.php.

The vulnerability arises from improper handling of the input parameter adr_txt_1, which allows an attacker to inject and execute arbitrary commands on the affected system.

This flaw can be exploited remotely without any authentication, making it highly accessible to attackers.

The vulnerability is classified under CWE-77, meaning the product constructs commands using externally influenced input without properly neutralizing special characters that could alter the intended command execution.

A proof-of-concept exploit is publicly available, and attackers can locate vulnerable targets using specific Google dorking queries.

Impact Analysis

[{'type': 'paragraph', 'content': "Exploiting this vulnerability allows an attacker to execute arbitrary commands on the washing machine's system remotely."}, {'type': 'paragraph', 'content': "This can lead to compromise of the system's confidentiality, integrity, and availability."}, {'type': 'paragraph', 'content': 'Attackers may gain elevated server privileges, potentially allowing full control over the device.'}, {'type': 'paragraph', 'content': 'Since the attack requires no authentication and can be launched remotely, it poses a significant security risk.'}, {'type': 'paragraph', 'content': 'No known mitigations or countermeasures have been published, so the recommended action is to replace the affected product with an alternative.'}] [1, 2]

Compliance Impact

I don't know

Mitigation Strategies

There are no known mitigations or countermeasures published for this vulnerability. The vendor was contacted but did not respond.

The recommended immediate step is to replace the affected product with an alternative that is not vulnerable.

Additionally, as a temporary measure, you may consider restricting network access to the vulnerable device, especially blocking access to the `/cgi-bin/tosei_datasend.php` endpoint from untrusted networks to reduce the risk of remote exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2533. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart