CVE-2026-1802
Published: 03 February 2026
Summary
CVE-2026-1802 is a high-severity Injection (CWE-74) vulnerability. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 15.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly validates the macType argument in the macAddrClone function to prevent command injection payloads from being executed.
Requires identification, reporting, and correction of the specific command injection flaw in luci/controller/api/zrMacClone.lua, including patching or mitigation.
Vulnerability monitoring and scanning detects exposed Ziroom ZHOME A0101 devices vulnerable to CVE-2026-1802 and its public exploit for prioritized remediation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection in public-facing API endpoint (zrMacClone.lua) directly enables remote unauthenticated exploitation of a network device for arbitrary Unix command execution.
NVD Description
A security flaw has been discovered in Ziroom ZHOME A0101 1.0.1.0. This issue affects the function macAddrClone of the file luci\controller\api\zrMacClone.lua. The manipulation of the argument macType results in command injection. The attack may be launched remotely. The exploit has…
more
been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Deeper analysisAI
CVE-2026-1802 is a command injection vulnerability affecting the Ziroom ZHOME A0101 1.0.1.0 device. The flaw resides in the macAddrClone function within the file luci/controller/api/zrMacClone.lua, where manipulation of the macType argument enables command injection. Published on 2026-02-03, it carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and is linked to CWEs-74 and CWE-77.
The vulnerability is exploitable remotely by unauthenticated attackers requiring low complexity and no user interaction. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling arbitrary command execution on the affected device.
Advisories from VulDB and a GitHub repository detail the issue, including a publicly released exploit at https://github.com/jinhao118/cve/blob/main/ziru_router_command_injection.md. The vendor was contacted early regarding disclosure but provided no response, and no patches or mitigations are mentioned.
Notable context includes the public availability of the exploit, which may facilitate attacks against vulnerable Ziroom ZHOME A0101 1.0.1.0 devices.
Details
- CWE(s)