CVE-2026-2686
OS Command Injection in SECCN Dingcheng G10 session_login.cgi
Publication date: 2026-02-19
Last updated on: 2026-02-19
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| seccn | dingcheng_g10 | 3.1.0.181203 |
| seccn | g10_vpn | 3.1.0.181203 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-2686 is a critical security vulnerability in SECCN Dingcheng G10 version 3.1.0.181203, specifically in the function qq of the file /cgi-bin/session_login.cgi. The vulnerability arises because the User argument is not properly sanitized before being passed to a system command execution function, allowing an attacker to inject arbitrary operating system commands.'}, {'type': 'paragraph', 'content': "This injection occurs due to the use of Perl's qq operator with unsanitized input from a web POST request, enabling attackers to chain malicious commands. The vulnerability can be exploited remotely without authentication, making it highly accessible."}] [2, 3]
How can this vulnerability impact me? :
This vulnerability allows an attacker to execute arbitrary OS commands on the affected system remotely and without authentication. This can lead to full system compromise, including unauthorized access, data theft, system manipulation, or denial of service.
Because the exploit is publicly available and easy to use, attackers can leverage it to gain control over the system, potentially affecting confidentiality, integrity, and availability of the system.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability can be detected by monitoring for suspicious HTTP POST requests to the endpoint /cgi-bin/session_login.cgi, specifically targeting the 'User' parameter in the 'qq' function. Since the vulnerability allows OS command injection via the 'User' argument, attempts to inject shell command separators like ';' or other command sequences may be visible in network traffic or logs."}, {'type': 'paragraph', 'content': "A practical detection method is to capture and analyze HTTP requests to the vulnerable CGI script and look for unusual or malformed input in the 'User' parameter."}, {'type': 'paragraph', 'content': 'Example commands to detect exploitation attempts include using network monitoring tools like tcpdump or tshark to filter HTTP POST requests to the vulnerable endpoint:'}, {'type': 'list_item', 'content': "tcpdump -A -s 0 'tcp port 80 and (((ip dst <target_ip>) and (tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354)))'"}, {'type': 'list_item', 'content': 'tshark -Y \'http.request.method == "POST" and http.request.uri contains "/cgi-bin/session_login.cgi"\' -T fields -e http.file_data'}, {'type': 'paragraph', 'content': "Additionally, searching web server logs for suspicious 'User' parameter values containing shell metacharacters such as ';', '|', '&', or backticks can help identify exploitation attempts."}] [2, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the vulnerable endpoint /cgi-bin/session_login.cgi by applying strict firewall rules to limit incoming connections only to trusted IP addresses.
Since the vulnerability allows unauthenticated remote code execution, blocking or filtering HTTP POST requests to this endpoint can reduce exposure.
If possible, disable or remove the vulnerable functionality until a patch or update is available.
Monitoring network traffic and logs for exploitation attempts and applying intrusion detection/prevention systems (IDS/IPS) signatures targeting this vulnerability can also help mitigate risk.