CVE-2026-4537
Received Received - Intake
Command Injection in Cudy TR1200 IPsec Lua Controller

Publication date: 2026-03-22

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was determined in Cudy TR1200 R46-2.4.15-20250721-164017. Impacted is the function action_ipsec_conn of the file /usr/bin/lib/lua/luci/controller/ipsec.lua. Executing a manipulation can lead to command injection. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. Upgrading the affected component is advised. The vendor explains, that "some other customer has reported this to us before. And we have fixed this."
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-22
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-03-22
EPSS Evaluated
2026-06-15
NVD
CVE-2026-4537
EUVD
EUVD-2026-14277
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
shenzhen_cudy_technology_co_ltd tr1200 2.4.15
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for suspicious HTTP GET requests to the endpoint /cgi-bin/luci/admin/network/vpn/ipsecs2s/conn/ that contain unusual or encoded payloads, especially those using backtick syntax or shell command patterns.'}, {'type': 'paragraph', 'content': 'Specifically, detection can focus on authenticated requests with a valid sysauth session cookie that include command injection payloads such as backticks or shell commands embedded in the URL path.'}, {'type': 'paragraph', 'content': 'A sample command to test or detect the vulnerability (only on authorized systems) is to send a crafted GET request similar to the proof-of-concept:'}, {'type': 'list_item', 'content': 'curl -k -H "Cookie: sysauth=<valid_session_cookie>" "http://<router_ip>/cgi-bin/luci/admin/network/vpn/ipsecs2s/conn/`telnetd%20-l%20/bin/sh%20-p%209999`"'}, {'type': 'paragraph', 'content': 'Network monitoring tools or intrusion detection systems can be configured to alert on such suspicious GET requests containing backtick characters or shell commands targeting this endpoint.'}] [1]

Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-4537 is an authenticated command injection vulnerability in the Shenzhen Cudy Technology Co., Ltd. AC1200 Wi-Fi Mini VPN Router TR1200 running a specific firmware version. The vulnerability exists in the function action_ipsec_conn within the Lua script /usr/bin/lib/lua/luci/controller/ipsec.lua.'}, {'type': 'paragraph', 'content': "An attacker who has authenticated access to the router's web interface can send a specially crafted HTTP GET request to a vulnerable endpoint. The user-controlled input is passed directly to a shell execution function without proper sanitization, allowing the attacker to inject arbitrary shell commands."}, {'type': 'paragraph', 'content': 'For example, an attacker can execute a payload that starts a telnet daemon on the device, providing root shell access and enabling full control over the router.'}] [1]

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability allows an authenticated attacker to execute arbitrary commands on the affected router with root privileges.'}, {'type': 'list_item', 'content': 'The attacker can gain full control over the device, including starting services like a telnet daemon to maintain persistent access.'}, {'type': 'list_item', 'content': 'Compromise of the router can lead to interception or manipulation of network traffic, disruption of network services, and potential pivoting to other devices on the network.'}, {'type': 'list_item', 'content': "Because the attack requires authentication, the risk depends on the strength of access controls and exposure of the router's management interface."}] [1]

Compliance Impact

I don't know

Mitigation Strategies

[{'type': 'paragraph', 'content': "Immediate mitigation steps include restricting access to the router's web interface to trusted users only, ensuring that only authorized personnel can authenticate and access the vulnerable endpoint."}, {'type': 'paragraph', 'content': 'Since the vulnerability requires authentication, enforcing strong authentication mechanisms and monitoring for unusual authenticated sessions can reduce risk.'}, {'type': 'paragraph', 'content': 'If possible, disable or restrict the vulnerable IPsec VPN functionality or the affected endpoint until a patch or firmware update is available.'}, {'type': 'paragraph', 'content': 'Monitor network traffic for suspicious requests targeting /cgi-bin/luci/admin/network/vpn/ipsecs2s/conn/ and block or alert on such activity.'}, {'type': 'paragraph', 'content': 'Contact the vendor for firmware updates or patches, although the vendor has not responded to this disclosure as of now.'}] [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4537. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart