CVE-2026-2944
Received Received - Intake
OS Command Injection in Tosei Online Store monitor.php Component

Publication date: 2026-02-22

Last updated on: 2026-04-29

Assigner: VulDB

Description
A security flaw has been discovered in Tosei Online Store Management System ネット店舗管理システム 1.01. Affected is the function system of the file /cgi-bin/monitor.php of the component HTTP POST Request Handler. Performing a manipulation of the argument DevId results in os command injection. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-22
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-02-22
EPSS Evaluated
2026-06-14
NVD
CVE-2026-2944
EUVD
EUVD-2026-7688
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
tosei-corporation online_store_management_system 1.01
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-2944 is an OS command injection vulnerability in the Tosei Online Store Management System version 1.01, specifically in the /cgi-bin/monitor.php file's HTTP POST request handler."}, {'type': 'paragraph', 'content': 'The vulnerability occurs because the DevId parameter is not properly sanitized or escaped before being used in system-level commands. This allows an attacker to inject arbitrary operating system commands by manipulating the DevId argument.'}, {'type': 'paragraph', 'content': 'An attacker can remotely exploit this flaw without authentication by sending specially crafted POST requests that include shell metacharacters like semicolons (;) to terminate the intended command and execute additional commands on the server.'}, {'type': 'paragraph', 'content': 'This leads to remote code execution under the web server user privileges, enabling actions such as reading sensitive files, executing arbitrary commands, and potentially escalating privileges.'}] [1, 2, 3]

Impact Analysis

Exploitation of this vulnerability can lead to full system compromise by allowing an attacker to execute arbitrary commands on the affected server with the privileges of the web server user.

  • Unauthorized command execution under the web server user (contec).
  • Data exfiltration, including access to sensitive files such as /etc/passwd and configuration files containing database credentials.
  • Potential privilege escalation to root due to outdated software and kernel versions.
  • Lateral movement within the internal network using the compromised device as a foothold.

The vulnerability is easy to exploit remotely without authentication, increasing the risk of widespread attacks.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by sending a crafted POST request to the /cgi-bin/monitor.php endpoint with the DevId parameter manipulated to include shell command injection payloads.'}, {'type': 'paragraph', 'content': 'A proof of concept command involves sending a POST request with DevId set to ";id;" which executes the \'id\' command on the server and returns the user identity.'}, {'type': 'paragraph', 'content': 'Example command using curl to test the vulnerability:'}, {'type': 'list_item', 'content': 'curl -X POST -d "doput=ON&DevId=;id;&Port=1" http://[target]/cgi-bin/monitor.php'}, {'type': 'paragraph', 'content': "If the server responds with output similar to 'uid=501(contec) gid=501(contec)', it confirms the vulnerability and successful command injection."}, {'type': 'paragraph', 'content': 'Additionally, attackers may identify vulnerable targets using Google dorking with queries like "inurl:cgi-bin/monitor.php".'}] [1, 2, 3]

Mitigation Strategies

Immediate mitigation steps include implementing strict input validation on the DevId parameter to allow only alphanumeric characters.

If shell command execution is necessary, use escaping functions such as escapeshellarg() to neutralize shell metacharacters and prevent injection.

Replace insecure PHP system execution functions like system(), exec(), or shell_exec() with safer native PHP APIs that do not invoke the shell.

Conduct regular security audits to identify and fix vulnerabilities promptly.

Upgrade the outdated Apache/PHP stack to supported and patched versions to reduce the risk of privilege escalation.

If possible, consider replacing the affected product with an alternative solution that does not contain this vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2944. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart