Cyber Resilience

CVE-2026-5574

MediumPublic PoC

Published: 05 April 2026

Published
05 April 2026
Modified
01 May 2026
KEV Added
Patch
CVSS Score v4 5.5 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0054 41.4th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-5574 is a medium-severity Missing Authorization (CWE-862) vulnerability in Technostrobe Hi-Led-Wr120-G2 Firmware. Its CVSS base score is 5.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 41.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-5574 is a missing authorization vulnerability affecting the deletefile function within the FsBrowseClean component of Technostrobe HI-LED-WR120-G2 firmware version 5.5.0.1R6.03.30. The issue arises from improper handling of the dir/path argument, allowing bypass of authorization checks. Published on 2026-04-05, it carries a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L) and maps to CWEs-862 (Missing Authorization) and CWE-863 (Incorrect Authorization).

The vulnerability enables remote exploitation by unauthenticated attackers (PR:N) with low attack complexity (AC:L) and no user interaction (UI:N). Successful exploitation results in limited impacts to integrity (I:L) and availability (A:L), with no confidentiality loss (C:N), potentially allowing unauthorized file deletion on the affected device.

Advisories from VulDB (vuln/355344) and a GitHub repository detail the public disclosure of an exploit, noting it may be actively used. The vendor was contacted early regarding the issue but provided no response, and no patches or official mitigations are referenced in the available sources.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A security vulnerability has been detected in Technostrobe HI-LED-WR120-G2 5.5.0.1R6.03.30. Affected is the function deletefile of the component FsBrowseClean. The manipulation of the argument dir/path leads to missing authorization. The attack may be initiated remotely. The exploit has been disclosed…

more

publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1070.004 File Deletion Stealth
Adversaries may delete files left behind by the actions of their intrusion activity.
Why these techniques?

The missing authorization vulnerability in the public-facing deletefile function directly enables remote unauthenticated exploitation of the application (T1190) and facilitates unauthorized file deletion (T1070.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-5570Same product: Technostrobe Hi-Led-Wr120-G2
CVE-2026-5569Same product: Technostrobe Hi-Led-Wr120-G2
CVE-2026-5571Same product: Technostrobe Hi-Led-Wr120-G2
CVE-2026-5573Same product: Technostrobe Hi-Led-Wr120-G2
CVE-2025-14457Shared CWE-862
CVE-2025-15406Shared CWE-862, CWE-863
CVE-2026-45242Shared CWE-862
CVE-2025-26853Shared CWE-862, CWE-863
CVE-2024-12920Shared CWE-862
CVE-2026-33918Shared CWE-862

Affected Assets

technostrobe
hi-led-wr120-g2 firmware
5.5.0.1r6.03.30

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-3 mandates enforcement of approved authorizations for access to system resources like files, directly addressing the missing authorization check in the deletefile function.

prevent

AC-14 explicitly prohibits unauthorized actions such as remote file deletion without identification or authentication, countering the PR:N exploitation vector.

preventrecover

SI-2 requires timely identification, reporting, and remediation of flaws like this missing authorization vulnerability in the FsBrowseClean component.

References