CVE-2026-1802
Published: 03 February 2026
Summary
CVE-2026-1802 is a medium-severity Injection (CWE-74) vulnerability. Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 16.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
A security flaw has been discovered in Ziroom ZHOME A0101 1.0.1.0. This issue affects the function macAddrClone of the file luci\controller\api\zrMacClone.lua. The manipulation of the argument macType results in command injection. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Remote unauthenticated attackers can supply a crafted macType value to the affected API endpoint and execute arbitrary commands on the device. The vulnerability maps to CWE-74 and CWE-77, carries a CVSS 4.0 score of 6.9, and requires no user interaction or special privileges.
Public references consist of a technical disclosure on GitHub together with Vuldb entries that document the issue and the vendor's lack of response; no official patches or mitigation guidance are referenced. The associated EPSS score remains low, with a current value of 0.0195 and a peak of 0.0218.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-5182
Vulnerability details
A security flaw has been discovered in Ziroom ZHOME A0101 1.0.1.0. This issue affects the function macAddrClone of the file luci\controller\api\zrMacClone.lua. The manipulation of the argument macType results in command injection. The attack may be launched remotely. The exploit has…
more
been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection in public-facing API endpoint (zrMacClone.lua) directly enables remote unauthenticated exploitation of a network device for arbitrary Unix command execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly validates the macType argument in the macAddrClone function to prevent command injection payloads from being executed.
Requires identification, reporting, and correction of the specific command injection flaw in luci/controller/api/zrMacClone.lua, including patching or mitigation.
Vulnerability monitoring and scanning detects exposed Ziroom ZHOME A0101 devices vulnerable to CVE-2026-1802 and its public exploit for prioritized remediation.