Cyber Resilience

CVE-2026-1802

Medium

Published: 03 February 2026

Published
03 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0195 83.8th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-1802 is a medium-severity Injection (CWE-74) vulnerability. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 16.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Deeper analysis

A security flaw has been discovered in Ziroom ZHOME A0101 1.0.1.0. This issue affects the function macAddrClone of the file luci\controller\api\zrMacClone.lua. The manipulation of the argument macType results in command injection. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

Remote unauthenticated attackers can supply a crafted macType value to the affected API endpoint and execute arbitrary commands on the device. The vulnerability maps to CWE-74 and CWE-77, carries a CVSS 4.0 score of 6.9, and requires no user interaction or special privileges.

Public references consist of a technical disclosure on GitHub together with Vuldb entries that document the issue and the vendor's lack of response; no official patches or mitigation guidance are referenced. The associated EPSS score remains low, with a current value of 0.0195 and a peak of 0.0218.

EU & UK References

Vulnerability details

A security flaw has been discovered in Ziroom ZHOME A0101 1.0.1.0. This issue affects the function macAddrClone of the file luci\controller\api\zrMacClone.lua. The manipulation of the argument macType results in command injection. The attack may be launched remotely. The exploit has…

more

been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Command injection in public-facing API endpoint (zrMacClone.lua) directly enables remote unauthenticated exploitation of a network device for arbitrary Unix command execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-2194Shared CWE-74, CWE-77
CVE-2026-2218Shared CWE-74, CWE-77
CVE-2026-5103Shared CWE-74, CWE-77
CVE-2026-4203Shared CWE-74, CWE-77
CVE-2026-2135Shared CWE-74, CWE-77
CVE-2026-3661Shared CWE-74, CWE-77
CVE-2026-2615Shared CWE-74, CWE-77
CVE-2026-4207Shared CWE-74, CWE-77
CVE-2025-10628Shared CWE-74, CWE-77
CVE-2026-5333Shared CWE-74, CWE-77

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly validates the macType argument in the macAddrClone function to prevent command injection payloads from being executed.

prevent

Requires identification, reporting, and correction of the specific command injection flaw in luci/controller/api/zrMacClone.lua, including patching or mitigation.

preventdetect

Vulnerability monitoring and scanning detects exposed Ziroom ZHOME A0101 devices vulnerable to CVE-2026-1802 and its public exploit for prioritized remediation.

References