CVE-2026-26461
Command Injection in Aver PTC320UV2 Web Interface
Publication date: 2026-05-01
Last updated on: 2026-05-01
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| aver | ptc320uv2 | 0.1.0000.65 |
| aver | ptc320uv2 | From 0.1.0000.72 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-26461 is a Command Injection vulnerability found in the web management interface of the Aver PTC320UV2 device running firmware version 0.1.0000.65.
This vulnerability allows an unauthenticated attacker to execute arbitrary commands on the device by sending a specially crafted web request to the /action?Get=acc path.
The root cause is that the 'Get' parameter from the web request is directly passed to a shell command in the script /mnt/sky/webui/opt_GetData.sh without proper input sanitization, enabling command injection via shell control characters like semicolons (;).
How can this vulnerability impact me? :
This vulnerability can have serious impacts because it allows an unauthenticated attacker to execute arbitrary commands on the affected device.
Such command execution could lead to unauthorized control over the device, potentially allowing the attacker to manipulate device settings, disrupt services, access sensitive information, or use the device as a foothold for further attacks within a network.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring or testing the web management interface of the Aver PTC320UV2 device for command injection attempts. Specifically, crafted web requests targeting the /action?Get=acc path with shell control characters such as a semicolon (;) can be used to test if arbitrary commands are executed.
A possible detection method is to send a crafted HTTP request to the device's web interface and observe the response or behavior. For example, using curl or similar tools to send a request like:
- curl "http://<device-ip>/action?Get=acc;id"
If the device executes the injected command (e.g., 'id'), it indicates the presence of the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the firmware of the affected Aver PTC320UV2 device to version 0.1.0000.72 or later, which addresses security vulnerabilities including this command injection flaw.
Additionally, restricting access to the web management interface by network segmentation or firewall rules to allow only trusted users can reduce the risk of exploitation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how the Command Injection vulnerability in Aver PTC320UV2 impacts compliance with common standards and regulations such as GDPR or HIPAA.