Cyber Resilience

CVE-2026-7674

High

Published: 03 May 2026

Published
03 May 2026
Modified
04 May 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0048 38.0th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-7674 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 38.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2026-7674 is a buffer overflow vulnerability (CWE-119, CWE-120) affecting the start_single_service function in the Web Management Interface of Shenzhen Libituo Technology's LBT-T300-HW1 device firmware, versions up to 1.2.8. The flaw is triggered by manipulating the vpn_pptp_server or vpn_l2tp_server arguments, allowing remote exploitation. Published on 2026-05-03, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

An attacker with low privileges, such as an authenticated user on the Web Management Interface, can remotely exploit this vulnerability without user interaction. Successful exploitation leads to a buffer overflow, potentially enabling arbitrary code execution, data compromise, or denial of service due to the high impacts on confidentiality, integrity, and availability.

No vendor response or patches were provided despite early disclosure contact, as noted in the advisory. Mitigation details are absent from available sources; practitioners should restrict access to the Web Management Interface, monitor for anomalous VPN configuration attempts, and consider device replacement. Key references include a GitHub proof-of-concept at https://github.com/hmKunlun/lbt-t300-hw1/blob/main/reselov_vpn_server%EF%BC%88vpn_pptp_server%EF%BC%89.md and VulDB entries at https://vuldb.com/vuln/360827.

EU & UK References

Vulnerability details

A flaw has been found in Shenzhen Libituo Technology LBT-T300-HW1 up to 1.2.8. This issue affects the function start_single_service of the component Web Management Interface. Executing a manipulation of the argument vpn_pptp_server/vpn_l2tp_server can lead to buffer overflow. The attack can…

more

be executed remotely. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Buffer overflow in web management interface allows remote exploitation by low-privilege authenticated users to achieve arbitrary code execution, directly mapping to exploitation of public-facing applications (T1190) and exploitation for privilege escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-2935Shared CWE-119, CWE-120
CVE-2025-15461Shared CWE-119, CWE-120
CVE-2026-7288Shared CWE-119, CWE-120
CVE-2025-9781Shared CWE-119, CWE-120
CVE-2026-3814Shared CWE-119, CWE-120
CVE-2026-7749Shared CWE-119, CWE-120
CVE-2026-2904Shared CWE-119, CWE-120
CVE-2026-4318Shared CWE-119, CWE-120
CVE-2025-15217Shared CWE-119, CWE-120
CVE-2026-3274Shared CWE-119, CWE-120

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents buffer overflows by requiring validation and sanitization of inputs like vpn_pptp_server and vpn_l2tp_server arguments to the start_single_service function in the Web Management Interface.

prevent

Mitigates exploitation of the buffer overflow vulnerability through memory protections such as stack canaries, ASLR, and DEP to block arbitrary code execution.

preventrecover

Mandates timely remediation of the identified buffer overflow flaw in LBT-T300-HW1 firmware up to version 1.2.8, including patching if available or device replacement.

References