CVE-2023-26801
Published: 26 March 2023
Summary
CVE-2023-26801 is a critical-severity Command Injection (CWE-77) vulnerability in Lb-Link Bl-Lte300 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 2.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
Multiple LB-LINK wireless router models, specifically BL-AC1900 version 1.0.1, BL-WR9000 version 2.4.9, BL-X26 version 1.2.5, and BL-LTE300 version 1.0.8, contain a command injection vulnerability (CWE-77) in the web management interface. The flaw resides in the handling of the mac, time1, and time2 parameters passed to the /goform/set_LimitClient_cfg endpoint and carries a CVSS 3.1 score of 9.8.
Unauthenticated attackers with network access can supply crafted input to these parameters and achieve arbitrary command execution on the device. This grants full control of the router, allowing traffic interception, persistence mechanisms, or use as an entry point into attached networks.
Public reporting confirms that the vulnerability has been exploited in the wild to distribute the Mirai botnet. The EPSS score rose from a low baseline to a peak of 0.6123, indicating measurable post-disclosure exploitation interest that warrants attention even after the current value receded to 0.4984. Technical details and proof-of-concept material are available in the referenced GitHub repository.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-30594
Vulnerability details
LB-LINK BL-AC1900_2.0 v1.0.1, LB-LINK BL-WR9000 v2.4.9, LB-LINK BL-X26 v1.2.5, and LB-LINK BL-LTE300 v1.0.8 were discovered to contain a command injection vulnerability via the mac, time1, and time2 parameters at /goform/set_LimitClient_cfg.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.