Executive Summary

CVE-2026-5572 is a critical Cross-Site Request Forgery (CSRF) vulnerability in the Technostrobe HI-LED-WR120-G2 obstruction light controller firmware version 5.5.0.1R6.03.30. This vulnerability allows an attacker to remotely change the device's admin password without any authentication or user interaction.

The vulnerability exists because the password change function is accessible via an unauthenticated POST request to the /LoginCB endpoint. The device lacks all standard CSRF protections such as synchronizer tokens, SameSite cookie attributes, Origin or Referer header validation, and does not require the current password to confirm changes.

An attacker can exploit this by hosting a malicious webpage that automatically submits a hidden form to the device's password change endpoint, changing the admin password silently when a victim visits the page. This allows the attacker to gain full control over the device remotely.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts as it allows an attacker to take full control of the Technostrobe HI-LED-WR120-G2 device remotely without authentication.

• The attacker can change the admin password silently, locking out legitimate users.
• Once in control, the attacker can manipulate the device's settings, potentially disrupting critical obstruction lighting systems.
• The attack can be executed remotely via phishing or malicious web pages, making it easy to exploit even if the attacker cannot directly access the device due to firewall restrictions.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized POST requests to the device's password change endpoint `/LoginCB`. Specifically, look for POST requests that include parameters such as `updatePassword=0`, `userId=1` or `3`, and a `newPassword` value encoded in base64.

Network administrators can use tools like curl or packet capture utilities to test or detect such requests.

• Use curl to simulate a POST request to the vulnerable endpoint: curl -X POST http://<device-ip>/LoginCB -d "updatePassword=0&userId=1&newPassword=aGFja2VkIQ=="
• Use network monitoring tools (e.g., Wireshark or tcpdump) to capture and analyze HTTP POST traffic to `/LoginCB` on the device.
• Check web server logs on the device for unauthenticated POST requests to `/LoginCB` that attempt to change passwords.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include implementing protections against CSRF attacks and restricting unauthorized password changes.

• Implement CSRF tokens by generating a per-session random token, embedding it as a hidden field in the password change form, and validating it server-side on POST requests.
• Set the `SameSite=Strict` attribute on session cookies to prevent cross-origin cookie sending.
• Validate the `Origin` header on incoming requests to ensure they originate from the device’s own domain.
• Require the current password to be provided and verified before allowing a password change.

Since the vendor has not responded, consider isolating the device from untrusted networks and monitoring for suspicious activity until a patch or update is available.

Useful 0 Not Useful 0

Compliance Impact

CVE-2026-5572 is a critical Cross-Site Request Forgery (CSRF) vulnerability that allows unauthenticated remote attackers to change the admin password on the Technostrobe HI-LED-WR120-G2 device. This can lead to unauthorized access and control over the device.

Such unauthorized access and control could potentially lead to violations of common security requirements found in standards and regulations like GDPR and HIPAA, which mandate protection of systems against unauthorized access and ensuring integrity and confidentiality of data and systems.

However, the provided information does not explicitly discuss or analyze the direct impact of this vulnerability on compliance with these standards or regulations.

Useful 0 Not Useful 0