CVE-2026-32833
Severity CVSS v4.0:
HIGH
Type:
CWE-78
OS Command Injections
Publication date:
26/06/2026
Last modified:
29/06/2026
Description
Cudy LT300 3.0 running firmware prior to version 2.5.12 contains an OS command injection vulnerability that allows authenticated attackers to execute arbitrary commands by injecting shell metacharacters into the cbid.system.ntp.current POST parameter in the system time configuration interface. Attackers can submit malicious payloads through the NTP settings endpoint to achieve remote code execution on the underlying system.
Impact
Base Score 4.0
8.70
Severity 4.0
HIGH
Base Score 3.x
8.80
Severity 3.x
HIGH



