CVE-2026-7674
Published: 03 May 2026
Summary
CVE-2026-7674 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 38.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Deeper analysis
CVE-2026-7674 is a buffer overflow vulnerability (CWE-119, CWE-120) affecting the start_single_service function in the Web Management Interface of Shenzhen Libituo Technology's LBT-T300-HW1 device firmware, versions up to 1.2.8. The flaw is triggered by manipulating the vpn_pptp_server or vpn_l2tp_server arguments, allowing remote exploitation. Published on 2026-05-03, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
An attacker with low privileges, such as an authenticated user on the Web Management Interface, can remotely exploit this vulnerability without user interaction. Successful exploitation leads to a buffer overflow, potentially enabling arbitrary code execution, data compromise, or denial of service due to the high impacts on confidentiality, integrity, and availability.
No vendor response or patches were provided despite early disclosure contact, as noted in the advisory. Mitigation details are absent from available sources; practitioners should restrict access to the Web Management Interface, monitor for anomalous VPN configuration attempts, and consider device replacement. Key references include a GitHub proof-of-concept at https://github.com/hmKunlun/lbt-t300-hw1/blob/main/reselov_vpn_server%EF%BC%88vpn_pptp_server%EF%BC%89.md and VulDB entries at https://vuldb.com/vuln/360827.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-26808
Vulnerability details
A flaw has been found in Shenzhen Libituo Technology LBT-T300-HW1 up to 1.2.8. This issue affects the function start_single_service of the component Web Management Interface. Executing a manipulation of the argument vpn_pptp_server/vpn_l2tp_server can lead to buffer overflow. The attack can…
more
be executed remotely. The vendor was contacted early about this disclosure but did not respond in any way.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Buffer overflow in web management interface allows remote exploitation by low-privilege authenticated users to achieve arbitrary code execution, directly mapping to exploitation of public-facing applications (T1190) and exploitation for privilege escalation (T1068).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents buffer overflows by requiring validation and sanitization of inputs like vpn_pptp_server and vpn_l2tp_server arguments to the start_single_service function in the Web Management Interface.
Mitigates exploitation of the buffer overflow vulnerability through memory protections such as stack canaries, ASLR, and DEP to block arbitrary code execution.
Mandates timely remediation of the identified buffer overflow flaw in LBT-T300-HW1 firmware up to version 1.2.8, including patching if available or device replacement.