CVE-2026-4537
Command Injection in Cudy TR1200 IPsec Lua Controller
Publication date: 2026-03-22
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| shenzhen_cudy_technology_co_ltd | tr1200 | 2.4.15 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for suspicious HTTP GET requests to the endpoint /cgi-bin/luci/admin/network/vpn/ipsecs2s/conn/ that contain unusual or encoded payloads, especially those using backtick syntax or shell command patterns.'}, {'type': 'paragraph', 'content': 'Specifically, detection can focus on authenticated requests with a valid sysauth session cookie that include command injection payloads such as backticks or shell commands embedded in the URL path.'}, {'type': 'paragraph', 'content': 'A sample command to test or detect the vulnerability (only on authorized systems) is to send a crafted GET request similar to the proof-of-concept:'}, {'type': 'list_item', 'content': 'curl -k -H "Cookie: sysauth=<valid_session_cookie>" "http://<router_ip>/cgi-bin/luci/admin/network/vpn/ipsecs2s/conn/`telnetd%20-l%20/bin/sh%20-p%209999`"'}, {'type': 'paragraph', 'content': 'Network monitoring tools or intrusion detection systems can be configured to alert on such suspicious GET requests containing backtick characters or shell commands targeting this endpoint.'}] [1]
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-4537 is an authenticated command injection vulnerability in the Shenzhen Cudy Technology Co., Ltd. AC1200 Wi-Fi Mini VPN Router TR1200 running a specific firmware version. The vulnerability exists in the function action_ipsec_conn within the Lua script /usr/bin/lib/lua/luci/controller/ipsec.lua.'}, {'type': 'paragraph', 'content': "An attacker who has authenticated access to the router's web interface can send a specially crafted HTTP GET request to a vulnerable endpoint. The user-controlled input is passed directly to a shell execution function without proper sanitization, allowing the attacker to inject arbitrary shell commands."}, {'type': 'paragraph', 'content': 'For example, an attacker can execute a payload that starts a telnet daemon on the device, providing root shell access and enabling full control over the router.'}] [1]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability allows an authenticated attacker to execute arbitrary commands on the affected router with root privileges.'}, {'type': 'list_item', 'content': 'The attacker can gain full control over the device, including starting services like a telnet daemon to maintain persistent access.'}, {'type': 'list_item', 'content': 'Compromise of the router can lead to interception or manipulation of network traffic, disruption of network services, and potential pivoting to other devices on the network.'}, {'type': 'list_item', 'content': "Because the attack requires authentication, the risk depends on the strength of access controls and exposure of the router's management interface."}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': "Immediate mitigation steps include restricting access to the router's web interface to trusted users only, ensuring that only authorized personnel can authenticate and access the vulnerable endpoint."}, {'type': 'paragraph', 'content': 'Since the vulnerability requires authentication, enforcing strong authentication mechanisms and monitoring for unusual authenticated sessions can reduce risk.'}, {'type': 'paragraph', 'content': 'If possible, disable or restrict the vulnerable IPsec VPN functionality or the affected endpoint until a patch or firmware update is available.'}, {'type': 'paragraph', 'content': 'Monitor network traffic for suspicious requests targeting /cgi-bin/luci/admin/network/vpn/ipsecs2s/conn/ and block or alert on such activity.'}, {'type': 'paragraph', 'content': 'Contact the vendor for firmware updates or patches, although the vendor has not responded to this disclosure as of now.'}] [1]