<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Cve-2026-14736 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/cve-2026-14736/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Sun, 05 Jul 2026 10:29:55 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/cve-2026-14736/feed.xml" rel="self" type="application/rss+xml"/><item><title>CVE-2026-14736: Ruijie RG-UAC Unrestricted Upload Vulnerability</title><link>https://feed.craftedsignal.io/briefs/2026-07-cve-2026-14736-ruijie-uac/</link><pubDate>Sun, 05 Jul 2026 10:29:55 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-cve-2026-14736-ruijie-uac/</guid><description>A critical unrestricted file upload vulnerability, CVE-2026-14736, in Ruijie RG-UAC up to version 1.0-R1.8.2.p5 allows unauthenticated remote attackers to upload arbitrary files via manipulation of the `upload_image` argument in `user_auth_commit.php`, potentially leading to remote code execution.</description><content:encoded><![CDATA[<p>A significant vulnerability, identified as CVE-2026-14736, has been discovered in Ruijie RG-UAC firmware up to version 1.0-R1.8.2.p5. This flaw, categorized as an unrestricted file upload (CWE-434), resides within an unknown function associated with the <code>user_auth_commit.php</code> file. Attackers can exploit this by manipulating the <code>upload_image</code> argument to bypass security checks and upload arbitrary files to the system. This attack can be carried out remotely without authentication, and a public exploit is available, increasing the urgency for defensive measures. Successful exploitation could grant threat actors the ability to execute arbitrary code on the affected device, leading to full system compromise, data exfiltration, or further network penetration.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Access</strong>: An unauthenticated remote attacker identifies a vulnerable Ruijie RG-UAC device exposed on the internet.</li>
<li><strong>Exploitation</strong>: The attacker crafts and sends a specially malformed HTTP POST request to the <code>user_auth_commit.php</code> endpoint on the vulnerable Ruijie RG-UAC device.</li>
<li><strong>Unrestricted Upload</strong>: Within the POST request, the attacker manipulates the <code>upload_image</code> argument to include a malicious file, such as a webshell (e.g., <code>shell.php</code> or <code>cmd.jsp</code>), which the vulnerable application then writes to a web-accessible directory on the server due to the flaw.</li>
<li><strong>Malicious File Placement</strong>: The RG-UAC application fails to properly validate the uploaded file's type, content, or extension, allowing the attacker's chosen payload to be stored on the system.</li>
<li><strong>Remote Code Execution Trigger</strong>: The attacker sends a subsequent HTTP GET request to the known or inferred path of the uploaded webshell, causing the server to execute the malicious code embedded within it.</li>
<li><strong>Post-Exploitation</strong>: With the webshell executed, the attacker gains remote command execution capabilities on the underlying operating system of the Ruijie RG-UAC device, enabling further actions like data exfiltration, system modification, or pivot to other internal network resources.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-14736 grants an unauthenticated remote attacker arbitrary file upload capabilities, which can directly lead to remote code execution (RCE) on the compromised Ruijie RG-UAC device. This enables full control over the affected system, allowing attackers to manipulate configurations, exfiltrate sensitive data, disrupt network operations, or establish a foothold for lateral movement within the victim's network. While no specific victim organizations or sectors have been detailed in the public information, any organization utilizing vulnerable versions of Ruijie RG-UAC devices is at risk due to the remote nature of the exploit and its public availability.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately patch CVE-2026-14736 by updating all Ruijie RG-UAC devices to a version beyond 1.0-R1.8.2.p5 as recommended by the vendor.</li>
<li>Ensure proper web server logging is enabled for all internet-facing devices, specifically logging HTTP POST and GET requests including URI stems, query parameters, and user-agent strings.</li>
<li>Review web server logs for suspicious POST requests to <code>/user_auth_commit.php</code> followed by anomalous GET requests to newly created files in web-accessible directories, which could indicate exploitation attempts related to CVE-2026-14736.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>vulnerability</category><category>rce</category><category>unrestricted-file-upload</category><category>webserver</category><category>cve-2026-14736</category></item></channel></rss>