Skip to main content

T3 Technology CPE CVE-2026-35906

| EUVDEUVD-2026-34276 CRITICAL
OS Command Injection (CWE-78)
2026-06-04 mitre GHSA-9qwx-6gr4-xcgx
9.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.6 CRITICAL
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Jun 04, 2026 - 16:51 vuln.today
CVSS changed
Jun 04, 2026 - 16:22 NVD
9.6 (CRITICAL)
CVE Published
Jun 04, 2026 - 00:00 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

An undocumented debug CGI endpoint in T3 Technology CPE models T625Pro v1.0.07, T6825G v1.0.03 allows unauthenticated attackers to execute arbitrary system commands as root via supplying a crafted HTTP query string.

AnalysisAI

Unauthenticated remote command execution affects T3 Technology CPE routers (models T625Pro v1.0.07 and T6825G v1.0.03) through an undocumented debug CGI endpoint that processes attacker-supplied query strings as root-level shell commands. SSVC characterizes this as POC-available with total technical impact, and a public advisory has been published on GitHub, though it is not currently listed in CISA KEV.

Technical ContextAI

The vulnerability is a CWE-78 OS Command Injection in a CGI handler exposed by the embedded web management interface of T3 Technology customer-premises equipment (CPE), devices typically deployed by ISPs (the references include Thai ISP True and Thai national CSIRT NCSA, suggesting regional deployment). CGI endpoints on embedded routers commonly pass query-string parameters through shell interpreters or popen()-style calls without sanitization, allowing metacharacters (e.g., ;, |, `, $()) to break out of the intended command context. Because the endpoint is undocumented, it was likely left in firmware for vendor debugging and not removed before shipping. The provided CPE string is a placeholder (cpe:2.3:a:n/a:n/a) and does not formally enumerate the device, so authoritative product mapping must rely on the description.

RemediationAI

No vendor-released patch identified at time of analysis - the references include the vendor's homepage but no firmware advisory or fixed version, so operators should contact T3 Technology directly and consult the researcher write-up at https://github.com/PwnOnu/T3-Technology-CPE-Advisories/blob/main/CVE-2026-35906.md for technical detail and any disclosed indicators. Until firmware is updated, restrict access to the device web management interface using ACLs so the CGI endpoint is reachable only from trusted management VLANs or the ISP's provisioning network (this breaks remote subscriber self-service if exposed on the WAN side, which is the common deployment); block inbound HTTP/HTTPS on the WAN interface where feasible, and place the device behind a perimeter firewall that drops external connections to TCP/80 and TCP/443. If the debug CGI path is documented in the GitHub advisory, add a reverse-proxy or upstream WAF rule to reject requests to that specific path, accepting that this may disrupt any legitimate diagnostic tooling that relies on it. Monitor web-server logs for suspicious query strings containing shell metacharacters targeting CGI paths.

More in N A

View all
CVE-2026-31072 CRITICAL POC
9.8 May 19

Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deseriali

CVE-2026-36356 CRITICAL POC
9.1 May 05

Unauthenticated remote OS command injection in MeiG Smart FORGE_SLT711 cellular gateway firmware MDM9607.LE.1.0-00110-ST

CVE-2026-31071 CRITICAL POC
9.1 May 19

Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump al

CVE-2025-66391 HIGH POC
8.8 Jun 17

In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write o

CVE-2026-26740 HIGH POC
8.2 Mar 18

Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when

CVE-2025-60464 HIGH POC
7.8 Jun 25

Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_

CVE-2026-36355 HIGH POC
7.7 May 05

Arbitrary kernel memory read/write in Realtek rtl819x Jungle SDK Wi-Fi driver allows local unprivileged attackers to acc

CVE-2025-60474 HIGH POC
7.5 Jun 24

Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by s

CVE-2026-38639 HIGH POC
7.5 Jun 26

An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of S

CVE-2026-38641 HIGH POC
7.5 Jun 26

Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by ge

CVE-2026-38637 HIGH POC
7.5 Jun 25

An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of S

CVE-2026-38640 HIGH POC
7.5 Jun 25

Denial of service in relibc (the Redox OS C standard library implementation, commit 61f42d) lets attackers crash a proce

Share

CVE-2026-35906 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy