Cyber Resilience

CVE-2023-26801

CriticalPublic PoCRCE

Published: 26 March 2023

Published
26 March 2023
Modified
05 May 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.4984 97.9th percentile
Risk Priority 50 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-26801 is a critical-severity Command Injection (CWE-77) vulnerability in Lb-Link Bl-Lte300 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 2.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

Multiple LB-LINK wireless router models, specifically BL-AC1900 version 1.0.1, BL-WR9000 version 2.4.9, BL-X26 version 1.2.5, and BL-LTE300 version 1.0.8, contain a command injection vulnerability (CWE-77) in the web management interface. The flaw resides in the handling of the mac, time1, and time2 parameters passed to the /goform/set_LimitClient_cfg endpoint and carries a CVSS 3.1 score of 9.8.

Unauthenticated attackers with network access can supply crafted input to these parameters and achieve arbitrary command execution on the device. This grants full control of the router, allowing traffic interception, persistence mechanisms, or use as an entry point into attached networks.

Public reporting confirms that the vulnerability has been exploited in the wild to distribute the Mirai botnet. The EPSS score rose from a low baseline to a peak of 0.6123, indicating measurable post-disclosure exploitation interest that warrants attention even after the current value receded to 0.4984. Technical details and proof-of-concept material are available in the referenced GitHub repository.

EU & UK References

Vulnerability details

LB-LINK BL-AC1900_2.0 v1.0.1, LB-LINK BL-WR9000 v2.4.9, LB-LINK BL-X26 v1.2.5, and LB-LINK BL-LTE300 v1.0.8 were discovered to contain a command injection vulnerability via the mac, time1, and time2 parameters at /goform/set_LimitClient_cfg.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

lb-link
bl-lte300 firmware
1.0.8
lb-link
bl-x26 firmware
1.2.5
lb-link
bl-wr9000 firmware
2.4.9
lb-link
bl-ac1900 firmware
1.0.1

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References