CarlinKit CPC200-CCPA Improper Cryptographic Signature Verification Vulnerability Allowing Code Execution

Vulnerability

A vulnerability exists in the CarlinKit CPC200-CCPA device within the update.cgi component, where improper verification of cryptographic signatures in update packages allows network-adjacent attackers to execute arbitrary code. This exploitation can be achieved by bypassing the authentication mechanism, with the executed code running in the context of root.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the affected device, with the executed code having root privileges.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

3.5

remediation

0.0

relevance

0.0

threat

0.0

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

3.5

remediation

0.0

relevance

0.0

threat

0.0

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

CarlinKit CPC200-CCPA Improper Cryptographic Signature Verification Vulnerability Allowing Code Execution

Vulnerability

Impact

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating