Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
An undocumented debug CGI endpoint in T3 Technology CPE models T625Pro v1.0.07, T6825G v1.0.03 allows unauthenticated attackers to execute arbitrary system commands as root via supplying a crafted HTTP query string.
AnalysisAI
Unauthenticated remote command execution affects T3 Technology CPE routers (models T625Pro v1.0.07 and T6825G v1.0.03) through an undocumented debug CGI endpoint that processes attacker-supplied query strings as root-level shell commands. SSVC characterizes this as POC-available with total technical impact, and a public advisory has been published on GitHub, though it is not currently listed in CISA KEV.
Technical ContextAI
The vulnerability is a CWE-78 OS Command Injection in a CGI handler exposed by the embedded web management interface of T3 Technology customer-premises equipment (CPE), devices typically deployed by ISPs (the references include Thai ISP True and Thai national CSIRT NCSA, suggesting regional deployment). CGI endpoints on embedded routers commonly pass query-string parameters through shell interpreters or popen()-style calls without sanitization, allowing metacharacters (e.g., ;, |, `, $()) to break out of the intended command context. Because the endpoint is undocumented, it was likely left in firmware for vendor debugging and not removed before shipping. The provided CPE string is a placeholder (cpe:2.3:a:n/a:n/a) and does not formally enumerate the device, so authoritative product mapping must rely on the description.
RemediationAI
No vendor-released patch identified at time of analysis - the references include the vendor's homepage but no firmware advisory or fixed version, so operators should contact T3 Technology directly and consult the researcher write-up at https://github.com/PwnOnu/T3-Technology-CPE-Advisories/blob/main/CVE-2026-35906.md for technical detail and any disclosed indicators. Until firmware is updated, restrict access to the device web management interface using ACLs so the CGI endpoint is reachable only from trusted management VLANs or the ISP's provisioning network (this breaks remote subscriber self-service if exposed on the WAN side, which is the common deployment); block inbound HTTP/HTTPS on the WAN interface where feasible, and place the device behind a perimeter firewall that drops external connections to TCP/80 and TCP/443. If the debug CGI path is documented in the GitHub advisory, add a reverse-proxy or upstream WAF rule to reject requests to that specific path, accepting that this may disrupt any legitimate diagnostic tooling that relies on it. Monitor web-server logs for suspicious query strings containing shell metacharacters targeting CGI paths.
Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deseriali
Unauthenticated remote OS command injection in MeiG Smart FORGE_SLT711 cellular gateway firmware MDM9607.LE.1.0-00110-ST
Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump al
In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write o
Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when
Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_
Arbitrary kernel memory read/write in Realtek rtl819x Jungle SDK Wi-Fi driver allows local unprivileged attackers to acc
Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by s
An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by ge
An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library implementation, commit 61f42d) lets attackers crash a proce
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34276
GHSA-9qwx-6gr4-xcgx