Home

Description

Algo 8028 Control Panel version 3.3.3 contains a command injection vulnerability in the fm-data.lua endpoint that allows authenticated attackers to execute arbitrary commands. Attackers can exploit the insecure 'source' parameter by injecting commands that are executed with root privileges, enabling remote code execution through a crafted POST request.

PUBLISHED Reserved 2026-01-11 | Published 2026-01-13 | Updated 2026-01-14 | Assigner VulnCheck




HIGH: 8.6CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
HIGH: 8.8CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Problem types

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Product status

3.3.3
affected

Credits

Filip Carlsson finder

References

www.exploit-db.com/exploits/50960 (ExploitDB-50960) exploit

www.algosolutions.com/ (Algo Solutions Official Homepage) product

www.algosolutions.com/...-downloads/8028-firmware-selection/ (Algo 8028 Firmware Downloads) product

www.vulncheck.com/...remote-code-execution-rce-authenticated (VulnCheck Advisory: Algo 8028 Control Panel - Remote Code Execution (RCE) (Authenticated)) third-party-advisory

cve.org (CVE-2022-50909)

nvd.nist.gov (CVE-2022-50909)

Download JSON