Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
A security flaw has been discovered in Technostrobe HI-LED-WR120-G2 5.5.0.1R6.03.30. This affects an unknown function. Performing a manipulation results in cross-site request forgery. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Technostrobe HI-LED-WR120-G2 version 5.5.0.1R6.03.30 is vulnerable to cross-site request forgery (CSRF) in an unknown function, allowing remote attackers to perform unauthorized actions via a specially crafted request requiring user interaction. Public exploit code is available, and the vendor has not responded to early disclosure attempts, leaving deployed devices potentially at risk.
Technical ContextAI
This vulnerability exploits a cross-site request forgery (CWE-352) weakness in Technostrobe HI-LED-WR120-G2, a networked LED control device. CSRF attacks manipulate authenticated users into performing unintended actions on a target application by tricking their browser into issuing forged requests. The affected firmware version 5.5.0.1R6.03.30 lacks proper CSRF protections (such as anti-CSRF tokens or SameSite cookie attributes) in at least one unidentified endpoint. Since the device is network-accessible (AV:N) and the attack requires minimal complexity (AC:L) with user interaction (UI:P), attackers can craft malicious web pages or emails that, when visited by an administrator, silently modify device settings or configurations.
RemediationAI
No vendor-released patch has been identified at time of analysis due to vendor non-responsiveness. Organizations operating HI-LED-WR120-G2 devices should implement network-level mitigations: restrict administrative access to trusted internal networks only, disable remote management interfaces if not required, and implement web application firewalls with CSRF protection rules. Additionally, configure devices to use secure cookie flags (SameSite=Strict if supported) and educate administrators to avoid clicking links from untrusted sources while logged into device management interfaces. Users should contact Technostrobe directly to request patched firmware; if unavailable, consider isolating affected devices or replacing them with alternative LED controllers from vendors with active security support. References: https://github.com/shiky8/my--cve-vulnerability-research/blob/main/my_VulnDB_cves/CVE-TECHNOSTROBE-04-CSRF.md, https://vuldb.com/vuln/355342.
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19093
GHSA-5fff-9c5f-h2fx