CVE-2026-32833
Deferred Deferred - Pending Action
OS Command Injection in Cudy LT300 Firmware

Publication date: 2026-06-26

Last updated on: 2026-06-26

Assigner: VulnCheck

Description
Cudy LT300 3.0 running firmware prior to version 2.5.12 contains an OS command injection vulnerability that allows authenticated attackers to execute arbitrary commands by injecting shell metacharacters into the cbid.system.ntp.current POST parameter in the system time configuration interface. Attackers can submit malicious payloads through the NTP settings endpoint to achieve remote code execution on the underlying system.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-26
Last Modified
2026-06-26
Generated
2026-06-27
AI Q&A
2026-06-26
EPSS Evaluated
N/A
NVD
CVE-2026-32833
EUVD
EUVD-2026-39862
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
cudy lt300 to 2.5.12 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-32833 is an OS command injection vulnerability found in Cudy LT300 3.0 routers running firmware versions prior to 2.5.12. It allows authenticated attackers to execute arbitrary commands on the device by injecting shell metacharacters into the 'cbid.system.ntp.current' POST parameter within the system time configuration interface. This means attackers can send malicious payloads through the NTP settings endpoint to remotely execute code on the underlying system.

Impact Analysis

This vulnerability can have a severe impact as it allows attackers with authentication to remotely execute arbitrary commands on the affected device. This can lead to full compromise of the router, potentially allowing attackers to control network traffic, intercept data, disrupt network services, or use the device as a foothold for further attacks within the network.

Detection Guidance

This vulnerability involves OS command injection via the 'cbid.system.ntp.current' POST parameter in the NTP configuration interface of Cudy LT300 3.0 routers running firmware prior to version 2.5.12.

Detection would involve monitoring or inspecting POST requests to the NTP settings endpoint for suspicious payloads containing shell metacharacters or unusual command injection patterns.

Specific commands to detect exploitation attempts are not provided in the available resources.

Mitigation Strategies

The primary mitigation step is to update the Cudy LT300 3.0 router firmware to version 2.5.12 or later, which contains fixes for this OS command injection vulnerability.

Firmware version 2.5.12 also includes other improvements such as VPN optimization, Wake-on-LAN enhancements, accessibility improvements, and network-wide ad blocking.

Users should download the latest firmware and release notes from the official Cudy download center.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32833. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart