Executive Summary

The CVE-2026-5573 vulnerability affects the Technostrobe HI-LED-WR120-G2 obstruction lighting controller, a device used to control aviation safety lighting on tall structures. The device runs an embedded Linux-based web server with a POST /fs endpoint that allows unauthenticated users to upload files to any directory on the device’s filesystem.

This upload functionality lacks authentication, file type validation, and path restrictions, enabling attackers to upload arbitrary files anywhere, including the web root directory. Attackers can manipulate the 'cwd' parameter to specify the upload directory, potentially overwriting critical system or configuration files.

The vulnerability allows remote attackers to upload malicious scripts or files without any credentials, which can then be accessed or executed to gain full control over the device.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized and unrestricted file uploads on a safety-critical device controlling aviation obstruction lighting. Attackers can upload malicious scripts or backdoors, leading to full operating system compromise.

• Attackers can overwrite configuration files or install persistent backdoors.
• They can disable or modify obstruction lighting, creating aviation safety hazards.
• Full remote code execution on the device is possible, allowing attackers to control the lighting controller.
• Such compromise can lead to regulatory violations and severe safety risks.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability impacts compliance primarily in the context of aviation safety and operational technology regulations rather than data privacy standards like GDPR or HIPAA.

Unauthorized control over obstruction lighting can violate regulations from aviation authorities such as the FAA, ICAO, and Transport Canada, which require reliable and secure lighting control to ensure safety.

While GDPR and HIPAA focus on personal data protection, this vulnerability's critical impact is on safety and operational compliance in aviation infrastructure.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking for the presence of the vulnerable POST /fs endpoint on the Technostrobe HI-LED-WR120-G2 device. An unauthenticated POST request to /fs with a multipart/form-data body including the cwd parameter and a file upload can confirm the vulnerability.

A suggested command to test the vulnerability is using curl to upload a test file to the device, for example:

• curl -v -X POST http://<device-ip>/fs -F cwd=/http/Technostrobe -F [email protected]

If the file becomes accessible via HTTP GET (e.g., http://<device-ip>/http/Technostrobe/test.txt) without authentication, the device is vulnerable.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include:

• Enforce authentication for all file upload operations to prevent unauthenticated access.
• Restrict the cwd parameter to a safe, server-controlled directory to prevent arbitrary file placement.
• Implement strict allowlists for file extensions, allowing only safe types such as .cfg, .csv, or .json.
• Store uploaded files outside the web root directory to prevent direct HTTP access.
• Remove or disable the /fs upload endpoint if it is not required in production.

Useful 0 Not Useful 0