KEVIntel
Back to KEVs
9.8
CVSS
Critical

CVE-2023-26801

PUBLISHED

LB-LINK BL-AC1900_2.0 v1.0.1, LB-LINK BL-WR9000 v2.4.9, LB-LINK BL-X26 v1.2.5, and LB-LINK BL-LTE300 v1.0.8 were discovered to contain a command...

Exploited in the wild Remote Low complexity No user interaction
Vendor
LB-LINK
Product
BL-AC1900_2.0, BL-WR9000, BL-X26, BL-LTE300
Published
Mar 26, 2023
EPSS

Description

LB-LINK BL-AC1900_2.0 v1.0.1, LB-LINK BL-WR9000 v2.4.9, LB-LINK BL-X26 v1.2.5, and LB-LINK BL-LTE300 v1.0.8 were discovered to contain a command injection vulnerability via the mac, time1, and time2 parameters at /goform/set_LimitClient_cfg.

CVSS scores

CVSS v3.1 9.8 Critical

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitation status

Exploited in the wild

Recorded 2025-04-22 00:00:00 UTC · Source

SSVC decision points

Exploitation
none
Automatable
No
Technical impact
partial

References

Known exploited vulnerability sources

Catalogues that list this CVE as a known exploited vulnerability.

Source Added
The Shadowserver (via CIRCL) Apr 28, 2025

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Added to KEVIntel