Skip to main content

UGREEN CM933 CVE-2026-8185

| EUVDEUVD-2026-28909 MEDIUM
Missing Authentication for Critical Function (CWE-306)
2026-05-09 VulDB GHSA-727c-q756-hcp2
5.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
CVSS changed
May 09, 2026 - 11:22 NVD
6.3 (MEDIUM) 5.3 (MEDIUM)
Analysis Generated
May 09, 2026 - 11:00 vuln.today
CVE Published
May 09, 2026 - 10:15 nvd
MEDIUM 6.3

DescriptionCVE.org

A security vulnerability has been detected in UGREEN CM933 1.1.59.4319. The impacted element is an unknown function of the component Administrative Interface. Such manipulation leads to missing authentication. The attack requires being on the local network. You should upgrade the affected component. The vendor replied: "We have successfully confirmed and reproduced the issue. We take this matter very seriously and have incorporated the fix into our development schedule. The issue is scheduled to be resolved in the release version coming in late April."

AnalysisAI

Missing authentication in UGREEN CM933 1.1.59.4319 administrative interface allows unauthenticated local network attackers to manipulate an unknown function, potentially gaining unauthorized access with limited confidentiality, integrity, and availability impact. No public exploit code has been identified, and the vendor has committed to a fix in late April.

Technical ContextAI

UGREEN CM933 is a network-attached storage or connectivity device with an administrative interface accessible via the local network. The vulnerability stems from missing authentication controls (CWE-306) in an unspecified function within this interface, allowing attackers already on the local network to bypass authentication mechanisms and interact with administrative functionality without credentials. The exact technical mechanism-whether this involves direct API access, HTTP endpoints, or proprietary protocols-is not detailed in available disclosures.

RemediationAI

Upgrade UGREEN CM933 to the patched version when available in late April 2026. Until patching is feasible, restrict network access to the administrative interface to trusted hosts and networks only-use firewall rules or network segmentation to block untrusted devices from reaching the CM933's management ports. If the device supports authentication mechanisms in other functions, enable and enforce strong credentials. Monitor administrative interface access logs for unauthorized connection attempts. Note that network isolation is not a permanent fix and carries the trade-off of reduced device manageability if legitimate remote administration was required.

Share

CVE-2026-8185 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy