Volerion logoVolerion
Volerion logoVolerion

Inim Electronics SmartLiving SmartLAN Command Execution Vulnerability

Vulnerability

A remote authenticated command injection vulnerability has been identified in Inim Electronics SmartLiving SmartLAN versions 6.x and prior. The issue resides in the web.cgi binary, where the 'par' POST parameter is not properly sanitized when used with the 'testemail' module. This vulnerability allows attackers to exploit the unsanitized parameter and the system() function call to execute arbitrary system commands with root privileges, using default credentials. The vulnerability bypasses existing access controls.

Impact

Exploitation of this vulnerability allows for unauthorized remote execution of commands with root privileges, potentially leading to a complete compromise of the affected system.

Reproduction

To reproduce this vulnerability, send an authenticated POST request to the 'web.cgi' CGI script with the 'mod' parameter set to 'testemail' and the 'par' parameter containing the payload. The request must include a cookie with valid credentials. Once the command injection is successful, the executed command's output can be retrieved through the same interface.

Added: Jan 8, 2026, 12:26 AM
Updated: Jan 8, 2026, 12:26 AM

Vulnerability Rating

Custom Algorithm
spread
0.3
impact
7.5
exploitability
6.2
remediation
8.3
relevance
1.9
threat
6.4
urgency
2.9
incentive
1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.