Thingino Firmware OS Command Injection Vulnerability in WiFi Captive Portal CGI

Vulnerability

An unauthenticated OS command injection vulnerability has been identified in Thingino firmware versions prior to the 2026-03-15 release. The issue resides in the WiFi captive portal CGI script, where unsanitized HTTP parameter names allow remote attackers to execute arbitrary commands as root. Exploitation of this vulnerability is possible through the eval function in the parse_query() and parse_post() functions, leading to remote code execution and unauthorized privileged configuration changes, such as resetting the root password and modifying the SSH authorized_keys file. This exploitation results in a complete and persistent compromise of the device.

Impact

Successful exploitation allows for arbitrary command execution as the root user, with the potential for full and persistent compromise of the device.

Added: Mar 26, 2026, 7:39 PM

Updated: Mar 26, 2026, 7:39 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

8.1

remediation

0.0

relevance

4.7

threat

3.2

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

8.1

remediation

0.0

relevance

4.7

threat

3.2

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Thingino Firmware OS Command Injection Vulnerability in WiFi Captive Portal CGI

Vulnerability

Impact

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating