CVE-2026-2533
Remote Command Injection in Tosei Washing Machine CGI Script
Publication date: 2026-02-16
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tosei | tosei_self-service_washing_machine | 4.02 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking for the presence of the vulnerable script `/cgi-bin/tosei_datasend.php` on the Tosei Self-service Washing Machine version 4.02. Attackers can locate vulnerable targets using Google dorking with the query `inurl:cgi-bin/tosei_datasend.php`.'}, {'type': 'paragraph', 'content': 'To detect exploitation attempts or test for the vulnerability, you can try sending crafted HTTP requests targeting the `adr_txt_1` parameter to see if command injection is possible. For example, using curl to send a test payload:'}, {'type': 'list_item', 'content': 'curl -G "http://[target]/cgi-bin/tosei_datasend.php" --data-urlencode "adr_txt_1=;id"'}, {'type': 'paragraph', 'content': 'If the response contains output from the injected command (e.g., the output of `id`), the system is vulnerable.'}] [1]
Can you explain this vulnerability to me?
CVE-2026-2533 is a command injection vulnerability found in the Tosei Self-service Washing Machine version 4.02, specifically in the file /cgi-bin/tosei_datasend.php.
The vulnerability arises from improper handling of the input parameter adr_txt_1, which allows an attacker to inject and execute arbitrary commands on the affected system.
This flaw can be exploited remotely without any authentication, making it highly accessible to attackers.
The vulnerability is classified under CWE-77, meaning the product constructs commands using externally influenced input without properly neutralizing special characters that could alter the intended command execution.
A proof-of-concept exploit is publicly available, and attackers can locate vulnerable targets using specific Google dorking queries.
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': "Exploiting this vulnerability allows an attacker to execute arbitrary commands on the washing machine's system remotely."}, {'type': 'paragraph', 'content': "This can lead to compromise of the system's confidentiality, integrity, and availability."}, {'type': 'paragraph', 'content': 'Attackers may gain elevated server privileges, potentially allowing full control over the device.'}, {'type': 'paragraph', 'content': 'Since the attack requires no authentication and can be launched remotely, it poses a significant security risk.'}, {'type': 'paragraph', 'content': 'No known mitigations or countermeasures have been published, so the recommended action is to replace the affected product with an alternative.'}] [1, 2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
What immediate steps should I take to mitigate this vulnerability?
There are no known mitigations or countermeasures published for this vulnerability. The vendor was contacted but did not respond.
The recommended immediate step is to replace the affected product with an alternative that is not vulnerable.
Additionally, as a temporary measure, you may consider restricting network access to the vulnerable device, especially blocking access to the `/cgi-bin/tosei_datasend.php` endpoint from untrusted networks to reduce the risk of remote exploitation.