CVE-2026-36828
Authenticated Command Injection in Panabit PAP-XM320
Publication date: 2026-05-19
Last updated on: 2026-05-19
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| panabit | pap-xm320 | to 7.7 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how the command injection vulnerability in Panabit PAP-XM320 affects compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
This vulnerability is a command injection issue found in the /cgi-bin/tools/ajax_cmd endpoint of the Panabit PAP-XM320 device up to and including version 7.7.
It allows authenticated users to execute arbitrary shell commands with root privileges by using the action=runcmd parameter in the CGI component.
How can this vulnerability impact me? :
An attacker who is authenticated can exploit this vulnerability to run any shell command on the affected device with root-level access.
This could lead to full control over the device, allowing the attacker to modify configurations, access sensitive data, disrupt network operations, or use the device as a foothold for further attacks.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the /cgi-bin/tools/ajax_cmd endpoint on Panabit PAP-XM320 devices, which allows authenticated users to execute arbitrary shell commands with root privileges via the action=runcmd parameter.
To detect this vulnerability on your system, you can monitor HTTP requests targeting the /cgi-bin/tools/ajax_cmd endpoint, especially those containing the action=runcmd parameter.
Suggested commands include using network monitoring tools or web server logs to search for suspicious requests. For example, using grep on web server logs:
- grep "/cgi-bin/tools/ajax_cmd" /var/log/httpd/access_log
- grep "action=runcmd" /var/log/httpd/access_log
Additionally, you can use network traffic analysis tools like tcpdump or Wireshark to filter HTTP requests to the vulnerable endpoint.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the /cgi-bin/tools/ajax_cmd endpoint to trusted and authenticated users only.
Ensure that only authorized personnel have authentication credentials to the device, and consider disabling or restricting the vulnerable CGI component if possible.
Monitor logs and network traffic for any suspicious activity targeting this endpoint.
Contact the vendor or check their official website for any patches or updates that address this vulnerability.