CVE-2023-26801

high-risk

Published 2023-03-26

LB-LINK BL-AC1900_2.0 v1.0.1, LB-LINK BL-WR9000 v2.4.9, LB-LINK BL-X26 v1.2.5, and LB-LINK BL-LTE300 v1.0.8 were discovered to contain a command injection vulnerability via the mac, time1, and time2 parameters at /goform/set_LimitClient_cfg.

Do I need to act?

60.9% chance of exploitation in next 30 days

EPSS score — higher than 39% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 9.8/10 Critical

NETWORK / LOW complexity

Affected Products (4)

Bl-Lte300 Firmware

Bl-X26 Firmware

Bl-Wr9000 Firmware

Bl-Ac1900 Firmware

Affected Vendors

Lb-Link

References (3)

Exploit https://github.com/winmt/my-vuls/tree/main/LB-LINK%20BL-AC1900%2C%20BL-WR9000%2C...

https://www.akamai.com/blog/security-research/cve-2023-26801-exploited-spreading...

Exploit https://github.com/winmt/my-vuls/tree/main/LB-LINK%20BL-AC1900%2C%20BL-WR9000%2C...

/ 100

high-risk

Severity 32/34 · Critical

Exploitability 19/34 · Moderate

Exposure 10/34 · Low