Compliance Impact

This vulnerability leads to unauthenticated remote disclosure of sensitive information, including user credentials and configuration data, which can result in unauthorized access and control over critical systems.

Such exposure of sensitive data can violate common standards and regulations like GDPR and HIPAA that require protection of personal and sensitive information through adequate security controls.

Specifically, the lack of authentication and encryption for sensitive credentials and configuration files increases the risk of data breaches, which may lead to non-compliance with data protection requirements and could result in legal and financial penalties.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-5571 is an unauthenticated information disclosure vulnerability in the Technostrobe HI-LED-WR120-G2 tower light controller's embedded HTTP server firmware version 5.5.0.1R6.03.30. The vulnerability exists in the `/fs` HTTP endpoint, which acts as an unauthenticated file server allowing any remote attacker to request and retrieve arbitrary files without any authentication, session, or access control.

This endpoint accepts a file query parameter specifying the file path to read, but it performs no authentication, authorization, or path traversal restrictions, enabling attackers to access any file readable by the web server process.

Sensitive files exposed include user account credentials stored in Base64 encoding (which is easily reversible), MQTT broker credentials in plaintext, SNMP and network configurations, web server source code, and potentially OS user accounts.

The root cause is that the `/fs` endpoint appears to be a leftover development/debug utility that was not removed or secured in production firmware.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an attacker to remotely and unauthenticatedly access sensitive configuration files and credentials, including administrator passwords and MQTT broker credentials.

With these credentials, an attacker can connect to the MQTT broker used for tower light telemetry and control, enabling them to monitor tower status silently or manipulate tower lighting systems by turning off lights, changing flash patterns, or triggering false alarms.

Such unauthorized control poses significant safety and operational risks, especially since these devices manage obstruction lights on tall structures.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if the Technostrobe HI-LED-WR120-G2 device exposes the unauthenticated `/fs` HTTP endpoint that allows arbitrary file reading without authentication or access control.

A simple way to detect this on your network is to send HTTP requests to the device targeting the `/fs` endpoint with a file query parameter and observe if files can be retrieved without authentication.

• Use curl to request a known sensitive file, for example: curl "http://<device-ip>/fs?file=/login.cfg"
• Check if the response contains Base64 encoded credentials or other sensitive data.
• Scan your network for devices running the vulnerable firmware version 5.5.0.1R6.03.30 and test the `/fs` endpoint for unauthorized file access.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include disabling or removing the `/fs` endpoint from the device's firmware to prevent unauthenticated file access.

If disabling the endpoint is not possible, enforce strong authentication and authorization mechanisms on the `/fs` endpoint.

Restrict file access to a safe, non-sensitive directory to prevent exposure of critical configuration files.

Additionally, replace Base64 encoded passwords with secure one-way hashing algorithms such as bcrypt or Argon2, and encrypt MQTT credentials at rest.

Until a firmware update or patch is available, consider isolating the device from untrusted networks to reduce exposure.

Useful 0 Not Useful 0