Skip to content
Threat Feed
high advisory

Technostrobe HI-LED-WR120-G2 Unrestricted File Upload Vulnerability (CVE-2026-5573)

CVE-2026-5573 allows remote attackers to perform unrestricted file uploads on Technostrobe HI-LED-WR120-G2 devices by manipulating the 'cwd' argument when interacting with the /fs file.

A critical vulnerability, CVE-2026-5573, has been identified in Technostrobe HI-LED-WR120-G2 version 5.5.0.1R6.03.30. This flaw allows unauthenticated, remote attackers to upload arbitrary files to the device due to improper handling of the ‘cwd’ argument when accessing the /fs file. Publicly available exploits exist, increasing the risk of widespread exploitation. The vendor was notified but did not respond. This vulnerability poses a significant threat due to the potential for complete system compromise, including remote code execution and data exfiltration.

Attack Chain

  1. The attacker identifies a Technostrobe HI-LED-WR120-G2 device running the vulnerable firmware version 5.5.0.1R6.03.30.
  2. The attacker sends a crafted HTTP request to the /fs endpoint, manipulating the cwd argument.
  3. The manipulated cwd argument bypasses access controls, allowing the attacker to specify an arbitrary upload directory.
  4. The attacker uploads a malicious file, such as a web shell or executable, to the specified directory.
  5. The attacker accesses the uploaded file via a web browser or other means.
  6. If the uploaded file is executable (e.g., a web shell), the attacker executes arbitrary commands on the device with the privileges of the web server.
  7. The attacker leverages the gained access to escalate privileges, install persistent backdoors, or exfiltrate sensitive data.

Impact

Successful exploitation of CVE-2026-5573 allows attackers to gain complete control over affected Technostrobe HI-LED-WR120-G2 devices. This can lead to data breaches, system disruption, or the device being used as a foothold for further attacks within the network. The lack of vendor response and the availability of public exploits make this vulnerability particularly dangerous.

Recommendation

  • Monitor web server logs for suspicious requests to the /fs endpoint with unusual cwd parameter values. Use the provided Sigma rule to detect such activity.
  • Inspect uploaded files for malicious content. Deploy the file upload detection Sigma rule to identify potential web shells.
  • Block connections to the identified malicious URLs to prevent exploit attempts (see IOCs).

Detection coverage 2

Detect Suspicious cwd Parameter Manipulation in /fs Endpoint

high

Detects attempts to manipulate the `cwd` parameter in requests to the `/fs` endpoint, potentially indicating an exploitation attempt for CVE-2026-5573.

sigma tactics: initial_access techniques: T1190 sources: webserver, linux

Detect Upload of Common Web Shells

high

Detects the upload of common web shell file extensions to the /fs endpoint.

sigma tactics: persistence techniques: T1505.003 sources: webserver, linux

Detection queries are kept inside the platform. Get full rules →

Indicators of compromise

4

url

TypeValue
urlhttps://github.com/shiky8/my--cve-vulnerability-research/blob/main/my_VulnDB_cves/CVE-TECHNOSTROBE-05-FileUpload.md
urlhttps://vuldb.com/submit/783326
urlhttps://vuldb.com/vuln/355343
urlhttps://vuldb.com/vuln/355343/cti