Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
A weakness has been identified in Technostrobe HI-LED-WR120-G2 5.5.0.1R6.03.30. This impacts an unknown function of the file /fs. Executing a manipulation of the argument cwd can lead to unrestricted upload. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Unrestricted file upload in Technostrobe HI-LED-WR120-G2 firmware version 5.5.0.1R6.03.30 allows remote unauthenticated attackers to upload arbitrary files by manipulating the cwd argument in the /fs endpoint. CVSS 6.9 reflects moderate confidentiality, integrity, and availability impact across local and remote boundaries. Publicly available exploit code exists, and the vendor has not responded to early disclosure attempts.
Technical ContextAI
The vulnerability stems from improper input validation on the cwd (current working directory) parameter in the /fs file system endpoint of the Technostrobe HI-LED-WR120-G2 web interface. This is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type), indicating the application fails to adequately restrict file upload operations or validate upload destination paths. The firmware device is a networked LED controller, and this endpoint likely handles firmware updates or configuration file uploads without sufficient path canonicalization or access control. The attack vector is network-based with low complexity and no user interaction required, making exploitation straightforward for remote attackers.
RemediationAI
No vendor-released patch has been identified at time of analysis. The vendor's non-responsiveness to early disclosure indicates remediation will likely require device replacement or manual firmware isolation. Immediate mitigation steps include: restrict network access to affected devices by implementing network segmentation and firewall rules to block inbound access to the web interface on port 80/443, disable remote management features if available, and monitor for suspicious file uploads or firmware modifications. Organizations should contact Technostrobe directly to request security updates or end-of-life guidance. Until patched versions are available, deploy affected devices only in isolated or trusted network environments with strong network-level access controls. Upgrade to alternative vendor solutions if available, as the vendor's non-response suggests limited security commitment.
More in Hi Led Wr120 G2
View allImproper authentication in Technostrobe HI-LED-WR120-G2 version 5.5.0.1R6.03.30 allows unauthenticated remote attackers
Improper access controls in Technostrobe HI-LED-WR120-G2 firmware 5.5.0.1R6.03.30 enable unauthenticated remote attacker
Technostrobe HI-LED-WR120-G2 firmware versions up to 5.5.0.1R6.03.30 allow remote unauthenticated attackers to disclose
Remote unauthenticated attackers can bypass authorization checks in the FsBrowseClean component's deletefile function of
Same technique File Upload
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19095
GHSA-mfwc-7h58-p642