Primary

Context

BroadlinkManager OS Command Injection Vulnerability

Vulnerability

A command injection vulnerability has been identified in BroadlinkManager version 5.9.1. This vulnerability allows remote attackers to execute arbitrary operating system commands by exploiting the IP Address parameter in the '/device/ping' endpoint. The issue arises from unsanitized user input being passed to a subprocess call, creating a potential security risk.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the server where BroadlinkManager is running.

Reproduction

To reproduce this vulnerability, send a request to the '/device/ping' endpoint with a crafted IP Address parameter that includes the desired command. The application will execute the command on the server, demonstrating the command injection flaw.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

7.7

remediation

0.0

relevance

0.0

threat

1.6

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

7.7

remediation

0.0

relevance

0.0

threat

1.6

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

BroadlinkManager OS Command Injection Vulnerability

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating