{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-5573/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-5573"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["CVE-2026-5573","file-upload","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical vulnerability, CVE-2026-5573, has been identified in Technostrobe HI-LED-WR120-G2 version 5.5.0.1R6.03.30. This flaw allows unauthenticated, remote attackers to upload arbitrary files to the device due to improper handling of the \u0026lsquo;cwd\u0026rsquo; argument when accessing the \u003ccode\u003e/fs\u003c/code\u003e file. Publicly available exploits exist, increasing the risk of widespread exploitation. The vendor was notified but did not respond. This vulnerability poses a significant threat due to the potential for complete system compromise, including remote code execution and data exfiltration.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a Technostrobe HI-LED-WR120-G2 device running the vulnerable firmware version 5.5.0.1R6.03.30.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a crafted HTTP request to the \u003ccode\u003e/fs\u003c/code\u003e endpoint, manipulating the \u003ccode\u003ecwd\u003c/code\u003e argument.\u003c/li\u003e\n\u003cli\u003eThe manipulated \u003ccode\u003ecwd\u003c/code\u003e argument bypasses access controls, allowing the attacker to specify an arbitrary upload directory.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads a malicious file, such as a web shell or executable, to the specified directory.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses the uploaded file via a web browser or other means.\u003c/li\u003e\n\u003cli\u003eIf the uploaded file is executable (e.g., a web shell), the attacker executes arbitrary commands on the device with the privileges of the web server.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the gained access to escalate privileges, install persistent backdoors, or exfiltrate sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-5573 allows attackers to gain complete control over affected Technostrobe HI-LED-WR120-G2 devices. This can lead to data breaches, system disruption, or the device being used as a foothold for further attacks within the network. The lack of vendor response and the availability of public exploits make this vulnerability particularly dangerous.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests to the \u003ccode\u003e/fs\u003c/code\u003e endpoint with unusual \u003ccode\u003ecwd\u003c/code\u003e parameter values. Use the provided Sigma rule to detect such activity.\u003c/li\u003e\n\u003cli\u003eInspect uploaded files for malicious content. Deploy the file upload detection Sigma rule to identify potential web shells.\u003c/li\u003e\n\u003cli\u003eBlock connections to the identified malicious URLs to prevent exploit attempts (see IOCs).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-05T15:16:41Z","date_published":"2026-04-05T15:16:41Z","id":"/briefs/2026-04-technostrobe-upload/","summary":"CVE-2026-5573 allows remote attackers to perform unrestricted file uploads on Technostrobe HI-LED-WR120-G2 devices by manipulating the 'cwd' argument when interacting with the /fs file.","title":"Technostrobe HI-LED-WR120-G2 Unrestricted File Upload Vulnerability (CVE-2026-5573)","url":"https://feed.craftedsignal.io/briefs/2026-04-technostrobe-upload/"}],"language":"en","title":"CraftedSignal Threat Feed — CVE-2026-5573","version":"https://jsonfeed.org/version/1.1"}