CVE-2026-32833 - Cudy LT300 NTP configuration command injection
CVE-2026-32833 - Cudy LT300 NTP configuration command injection - High - 2026-06-26
Business risk: An authenticated router user can execute OS commands on the network edge device and pivot into internal networks.
Root cause: The cbid.system.ntp.current POST parameter accepts shell metacharacters in the NTP configuration path.
Affected versions
- Vulnerable: Cudy LT300 3.0 firmware before 2.5.12.
- Fixed / safe target: Upgrade LT300 3.0 firmware to 2.5.12+ and ensure NTP configuration never reaches a shell as a concatenated string.
- CVSS: 8.8 (High)
Exact vulnerable code pattern
ntp_server="$POST_cbid_system_ntp_current"
system "ntpclient -h $ntp_server"
Fixed / mitigated code pattern
if (!is_valid_hostname_or_ip(ntp_server)) {
return HTTP_BAD_REQUEST;
}
char *argv[] = { "ntpclient", "-h", ntp_server, NULL };
execve("/usr/sbin/ntpclient", argv, safe_env);
Step-by-step integration guide
- Inventory managed Cudy LT300 3.0 devices and firmware versions.
- Upgrade all devices to firmware 2.5.12+.
- Restrict management UI access to admin VPN or a management network.
- Review NTP settings/logs for shell metacharacters.
- Patch owned wrappers to use argv execution and hostname allow-list validation.
Alternative mitigations
- Block WAN/admin exposure of the management interface.
- Disable remote management until firmware is patched.
- Alert on NTP values containing shell metacharacters.
Detection signature
rg -n "cbid\.system\.ntp\.current|ntpclient|system\(|popen\(|LT300|cudy" .
Copy-paste skill block
Model context: this prompt was generated by GPT 5.5 Extra High reasoning.
Remediate CVE-2026-32833: Cudy LT300 NTP configuration command injection.
Required output:
- A reviewer-ready PR with dependency/config/code changes, tests, and deployment notes; or
- TRIAGE.md if the affected runtime is outside this repository.
Steps:
1. Confirm exposure using the detection signature above.
2. Apply the fixed or mitigated pattern.
3. Add or run a regression test for the exploit shape.
4. Record commands, versions, and residual risk in the PR body.
Boundaries:
- Scope only CVE-2026-32833 and directly related hardening.
- Do not run destructive exploit payloads against production.
- Preserve existing behavior except for the vulnerable path.
Tags and revenue routing
- Keywords: cve, cudy, router, firmware, command-injection, ntp, sellable_to_msp, zero_day_gold, high
- Affected tech stack: network/firmware
- Revenue tags: sellable_to_msp, zero_day_gold