CVE-2023-26801

Name of the Vulnerable Software and Affected Versions LB-LINK BL-AC1900 2.0 version 1.0.1 LB-LINK BL-WR9000 version 2.4.9 LB-LINK BL-X26 version 1.2.5 LB-LINK BL-LTE300 version 1.0.8

Description The issue is related to a command injection vulnerability via the mac, time1, and time2 parameters at the "/goform/set LimitClient cfg" endpoint. This vulnerability is actively exploited in the wild. It may allow a remote attacker to gain full access to the device. The vulnerability is associated with the lack of data cleaning measures at the management level in the bs SetLimitCli info function of the /lib/libshare-0.0.26.so file.

Recommendations For LB-LINK BL-AC1900 2.0 version 1.0.1, consider disabling the mac, time1, and time2 parameters in the "/goform/set LimitClient cfg" endpoint until a patch is available. For LB-LINK BL-WR9000 version 2.4.9, restrict access to the "/goform/set LimitClient cfg" endpoint to minimize the risk of exploitation. For LB-LINK BL-X26 version 1.2.5, avoid using the mac, time1, and time2 parameters in the affected API endpoint until the issue is resolved. For LB-LINK BL-LTE300 version 1.0.8, as a temporary workaround, consider disabling the bs SetLimitCli info function until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.