Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable web endpoint with low-complexity injection but requiring a valid low-privileged account (PR:L), yielding root-level command execution and full C/I/A impact.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
Cudy LT300 3.0 running firmware prior to version 2.5.12 contains an OS command injection vulnerability that allows authenticated attackers to execute arbitrary commands by injecting shell metacharacters into the cbid.system.ntp.current POST parameter in the system time configuration interface. Attackers can submit malicious payloads through the NTP settings endpoint to achieve remote code execution on the underlying system.
AnalysisAI
Remote code execution in the Cudy LT300 3.0 4G LTE router (firmware before 2.5.12) lets authenticated users run arbitrary OS commands by embedding shell metacharacters in the cbid.system.ntp.current POST parameter of the system time (NTP) configuration page. Because the CVSS 4.0 vector specifies PR:L, an attacker needs valid (low-privileged) web credentials but no user interaction, and successful injection yields full host compromise (VC/VI/VA all High). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires authenticated access to the LT300 web management interface (CVSS PR:L - a valid low-privileged account, not necessarily full admin) plus network reachability to that interface; no user interaction is needed (UI:N) and attack complexity is low (AC:L). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are largely consistent and point to a genuinely high-impact but precondition-gated issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained low-privileged web-UI credentials (for example via a default password, credential reuse, or an exposed management interface) logs into the LT300 console, opens the system time settings, and submits an NTP value such as a hostname followed by ;<command> in the cbid.system.ntp.current POST parameter. The injected command executes on the router OS, granting code execution and likely full device control. … |
| Remediation | Vendor-released patch: firmware version 2.5.12 - upgrade all Cudy LT300 3.0 units to 2.5.12 or later via the official download center at https://www.cudy.com/en-us/pages/download-center/lt300-3-0, and consult the VulnCheck advisory at https://www.vulncheck.com/advisories/cudy-lt300-os-command-injection-via-ntp-configuration. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify all Cudy LT300 routers in your environment and document current firmware versions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39862
GHSA-wcjj-vwjf-qqvc