Skip to main content

Thingino Firmware CVE-2026-26213

| EUVDEUVD-2026-16293 HIGH
OS Command Injection (CWE-78)
2026-03-26 VulnCheck
8.7
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
8.7 HIGH
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (VulnCheck) · only source for this CVE.

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
EUVD ID Assigned
Mar 26, 2026 - 19:16 euvd
EUVD-2026-16293
Analysis Generated
Mar 26, 2026 - 19:16 vuln.today
CVE Published
Mar 26, 2026 - 19:00 nvd
HIGH 8.7

DescriptionCVE.org

thingino-firmware versions up to the firmware-2026-03-16 release contains an unauthenticated os command injection vulnerability in the WiFi captive portal CGI script that allows remote attackers to execute arbitrary commands as root by injecting malicious code through unsanitized HTTP parameter names. Attackers can exploit the eval function in parse_query() and parse_post() functions to achieve remote code execution and perform privileged configuration changes including root password reset and SSH authorized_keys modification, resulting in full persistent device compromise.

AnalysisAI

Unauthenticated remote code execution as root is possible in thingino-firmware through the WiFi captive portal CGI script due to command injection in query and POST parameter parsing. Attackers on the adjacent network (AV:A) can inject arbitrary commands through unsanitized HTTP parameter names, enabling full device takeover including root password reset and SSH key manipulation for persistent access. No public exploit is identified at time of analysis, though VulnCheck has published an advisory detailing the vulnerability mechanics.

Technical ContextAI

The vulnerability resides in thingino-firmware's captive portal CGI implementation, specifically affecting the parse_query() and parse_post() functions that process HTTP requests. The affected product (CPE cpe:2.3:a:themactep:thingino-firmware) uses eval functions to parse HTTP parameter names without proper sanitization, creating a classic CWE-78 OS Command Injection weakness. When an attacker sends specially crafted HTTP requests to the captive portal interface, malicious parameter names are directly evaluated by the shell with root privileges. This design flaw allows attackers to break out of the intended parameter parsing context and execute arbitrary system commands, bypassing all authentication mechanisms since the captive portal is designed to be accessible before network authentication.

RemediationAI

Upgrade thingino-firmware to version firmware-2026-03-15 or later, as referenced in the GitHub release at https://github.com/themactep/thingino-firmware/releases/tag/firmware-2026-03-15 (note: the vulnerability affects versions through firmware-2026-03-16, suggesting the fix may be in a subsequent unreleased version or the timeline requires vendor clarification). Until patching is completed, implement network segmentation to restrict access to the captive portal interface from untrusted adjacent networks, disable the WiFi captive portal feature if not operationally required, and monitor for suspicious command execution or unauthorized SSH key modifications. Organizations should review SSH authorized_keys files and root password integrity on deployed devices to detect potential prior exploitation. Consult the VulnCheck advisory at https://www.vulncheck.com/advisories/thingino-firmware-api-cgi-unauthenticated-command-injection-in-captive-portal for additional technical remediation guidance.

Share

CVE-2026-26213 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy