CVE-2026-36827
Command Injection in Panabit PAP-XM320
Publication date: 2026-05-19
Last updated on: 2026-05-19
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| panabit | pap-xm320 | to 7.7 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a command injection issue in the Panabit PAP-XM320 device up to version 7.7. The web management interface calls a backend helper program (/usr/sbin/pappiw) and passes parameters that come from the user. The helper uses unsafe argument processing with the eval function, which can execute arbitrary commands if attacker-controlled input is included. This means an authenticated remote attacker who can access the management interface can run arbitrary shell commands on the device.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves command injection via the web management interface of Panabit PAP-XM320 devices up to version 7.7, specifically through the backend helper /usr/sbin/pappiw which processes user-controlled parameters unsafely.
To detect this vulnerability on your system, you should monitor for unusual or unauthorized command executions originating from the management interface or the /usr/sbin/pappiw helper.
Since the vulnerability requires authenticated access, checking logs for suspicious activity related to the management interface is important.
- Review system logs for commands executed by /usr/sbin/pappiw, for example using: sudo grep pappiw /var/log/auth.log or sudo grep pappiw /var/log/syslog
- Use network monitoring tools to detect unusual HTTP requests to the management interface that include suspicious parameters.
- If possible, run commands to check the version of the Panabit PAP-XM320 device to confirm if it is running version 7.7 or earlier, which is vulnerable.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the web management interface to trusted and authenticated users only.
Ensure that only authorized personnel have management interface credentials to prevent authenticated attackers from exploiting the vulnerability.
Monitor and audit usage of the management interface and the /usr/sbin/pappiw helper for suspicious command execution.
If available, upgrade the Panabit PAP-XM320 device firmware to a version later than 7.7 where this vulnerability is fixed.
Consider implementing network-level controls such as firewall rules to limit access to the management interface.
How can this vulnerability impact me? :
The vulnerability allows an authenticated remote attacker to execute arbitrary shell commands on the affected device. This can lead to unauthorized control over the device, potentially allowing the attacker to manipulate system settings, access sensitive data, disrupt services, or use the device as a foothold for further attacks within the network.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how the command injection vulnerability in Panabit PAP-XM320 impacts compliance with common standards and regulations such as GDPR or HIPAA.