CVE-2026-5574
Received Received - Intake
Missing Authorization in Technostrobe FsBrowseClean deletefile Function

Publication date: 2026-04-05

Last updated on: 2026-05-01

Assigner: VulDB

Description
A security vulnerability has been detected in Technostrobe HI-LED-WR120-G2 5.5.0.1R6.03.30. Affected is the function deletefile of the component FsBrowseClean. The manipulation of the argument dir/path leads to missing authorization. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-05
Last Modified
2026-05-01
Generated
2026-06-16
AI Q&A
2026-04-05
EPSS Evaluated
2026-06-15
NVD
CVE-2026-5574
EUVD
EUVD-2026-19097
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
technostrobe hi-led-wr120-g2_firmware 5.5.0.1r6.03.30
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-5574 is a security vulnerability in the Technostrobe HI-LED-WR120-G2 obstruction lighting controller, specifically in the deletefile function of the FsBrowseClean component. The vulnerability arises because the device's embedded HTTP server exposes an AJAX handler that allows unauthenticated remote attackers to delete arbitrary files by manipulating the path parameter without any authorization or path validation.

This means an attacker can send specially crafted POST requests to the device to delete critical system files, including configuration files, user credential stores, web interface files, and firmware update files, potentially causing denial of service or disabling important device functions.

Impact Analysis

This vulnerability can have severe impacts including:

  • Deletion of user credential files, which disables authentication and locks out legitimate users.
  • Loss of telemetry and status visibility by deleting configuration files related to monitoring.
  • Removal of web interface files, preventing management access to the device.
  • Deletion of network configuration files, potentially making the device unreachable.
  • Erasing firmware update files, which can prevent patching or recovery and may brick the device.
  • Erasing log and audit files, enabling attackers to cover their tracks and evade detection.

Operationally, this can cause denial of service to aviation safety lights, leading to outages that may last hours or days, risking pilot safety and causing regulatory penalties.

Detection Guidance

This vulnerability can be detected by attempting to interact with the vulnerable AJAX handler on the Technostrobe HI-LED-WR120-G2 device. Specifically, sending a crafted POST request to the device's embedded HTTP server targeting the FsBrowseClean component with the deletefile action and a controlled path parameter can reveal if the device is vulnerable.

A practical detection command is a curl POST request that tries to delete a harmless or test file, or checks for the presence of the vulnerable handler by observing the response.

  • curl -X POST -H "Content-Type: application/x-www-form-urlencoded" --data 'ajax=FsBrowseClean&dir=/&path=/login.cfg&action=deletefile' http://<device-ip>/

If the device responds with "OK" and the file is deleted or the response indicates the handler processed the request without authentication, it confirms the vulnerability.

Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable device and its HTTP interface to trusted networks only, as the vulnerability allows unauthenticated remote file deletion.

Additionally, monitor and block suspicious POST requests targeting the AJAX handler with parameters ajax=FsBrowseClean and action=deletefile.

Longer-term remediation recommended by the vendor or security researchers includes:

  • Enforce authentication on all AJAX handlers to prevent unauthenticated access.
  • Restrict deletable file paths server-side to a safe directory to prevent arbitrary file deletion.
  • Implement path canonicalization to prevent directory traversal attacks.
  • Add audit logging for all file operations, including source IP, timestamp, filename, and action.
  • Separate web content from system configuration files to prevent unauthorized access.
Compliance Impact

The vulnerability in the Technostrobe HI-LED-WR120-G2 device allows unauthenticated remote attackers to delete critical system files, including configuration, authentication, and log files. This can lead to denial of service and loss of safety functions in aviation obstruction lighting systems.

Operationally, this impacts compliance with aviation safety regulations such as FAA AC 70/7460-1M, ICAO Annex 14, and Transport Canada standards, as the malfunction or disabling of safety lights risks pilot safety and may result in regulatory penalties or loss of operating licenses.

While the provided information does not explicitly mention GDPR, HIPAA, or other data protection regulations, the ability to delete log and audit files could hinder forensic investigations and incident response, potentially affecting compliance with regulations that require audit trails and data integrity.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5574. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart