CVE-2026-32833 HIGH

CVE-2026-32833: Cudy LT300 3.0 OS Command Injection via NTP Configuration

Vendor Shenzhen Cudy Technology Co., Ltd.

Product LT300 3.0

Weakness CWE-78

Published June 26, 2026

Last update June 29, 2026

View on NVD All CVEs

CVSS base score

8.7/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Cudy LT300 3.0 running firmware prior to version 2.5.12 contains an OS command injection vulnerability that allows authenticated attackers to execute arbitrary commands by injecting shell metacharacters into the cbid.system.ntp.current POST parameter in the system time configuration interface. Attackers can submit malicious payloads through the NTP settings endpoint to achieve remote code execution on the underlying system.

Key dates

02Disclosure timeline

June 26, 2026 CVE published

June 29, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-32833 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/78.html

Related vulnerabilities

CVE-2026-32833: Cudy LT300 3.0 OS Command Injection via NTP Configuration

01Description

02Disclosure timeline

03References

04Related CVE