CVE-2026-5573 — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/tags/cve-2026-5573/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioSun, 05 Apr 2026 15:16:41 +0000Technostrobe HI-LED-WR120-G2 Unrestricted File Upload Vulnerability (CVE-2026-5573)https://feed.craftedsignal.io/briefs/2026-04-technostrobe-upload/Sun, 05 Apr 2026 15:16:41 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-technostrobe-upload/CVE-2026-5573 allows remote attackers to perform unrestricted file uploads on Technostrobe HI-LED-WR120-G2 devices by manipulating the 'cwd' argument when interacting with the /fs file.A critical vulnerability, CVE-2026-5573, has been identified in Technostrobe HI-LED-WR120-G2 version 5.5.0.1R6.03.30. This flaw allows unauthenticated, remote attackers to upload arbitrary files to the device due to improper handling of the ‘cwd’ argument when accessing the /fs file. Publicly available exploits exist, increasing the risk of widespread exploitation. The vendor was notified but did not respond. This vulnerability poses a significant threat due to the potential for complete system compromise, including remote code execution and data exfiltration.

Attack Chain

  1. The attacker identifies a Technostrobe HI-LED-WR120-G2 device running the vulnerable firmware version 5.5.0.1R6.03.30.
  2. The attacker sends a crafted HTTP request to the /fs endpoint, manipulating the cwd argument.
  3. The manipulated cwd argument bypasses access controls, allowing the attacker to specify an arbitrary upload directory.
  4. The attacker uploads a malicious file, such as a web shell or executable, to the specified directory.
  5. The attacker accesses the uploaded file via a web browser or other means.
  6. If the uploaded file is executable (e.g., a web shell), the attacker executes arbitrary commands on the device with the privileges of the web server.
  7. The attacker leverages the gained access to escalate privileges, install persistent backdoors, or exfiltrate sensitive data.

Impact

Successful exploitation of CVE-2026-5573 allows attackers to gain complete control over affected Technostrobe HI-LED-WR120-G2 devices. This can lead to data breaches, system disruption, or the device being used as a foothold for further attacks within the network. The lack of vendor response and the availability of public exploits make this vulnerability particularly dangerous.

Recommendation

  • Monitor web server logs for suspicious requests to the /fs endpoint with unusual cwd parameter values. Use the provided Sigma rule to detect such activity.
  • Inspect uploaded files for malicious content. Deploy the file upload detection Sigma rule to identify potential web shells.
  • Block connections to the identified malicious URLs to prevent exploit attempts (see IOCs).
]]>highadvisoryCVE-2026-5573file-uploadweb-application