{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2548", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-02-15T16:03:56.796Z", "datePublished": "2026-02-16T09:02:05.796Z", "dateUpdated": "2026-02-23T10:07:54.559Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-02-23T10:07:54.559Z"}, "title": "WAYOS FBM-220G rc sub_40F820 command injection", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-77", "lang": "en", "description": "Command Injection"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-74", "lang": "en", "description": "Injection"}]}], "affected": [{"vendor": "WAYOS", "product": "FBM-220G", "versions": [{"version": "24.10.19", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "A flaw has been found in WAYOS FBM-220G 24.10.19. This affects the function sub_40F820 of the file rc. Executing a manipulation of the argument upnp_waniface/upnp_ssdp_interval/upnp_max_age can lead to command injection. The attack can be executed remotely. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 6.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 6.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-02-15T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-02-15T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-02-19T00:02:59.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "jfkk (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/?id.346157", "name": "VDB-346157 | WAYOS FBM-220G rc sub_40F820 command injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.346157", "name": "VDB-346157 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.749802", "name": "Submit #749802 | WAYOS FBM220G and others 24.10.19 Command Injection", "tags": ["third-party-advisory"]}, {"url": "https://github.com/glkfc/IoT-Vulnerability/blob/main/wayos/wayos.md", "tags": ["related"]}]}, "adp": [{"references": [{"url": "https://github.com/glkfc/IoT-Vulnerability/blob/main/wayos/wayos.md", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-17T16:57:30.664436Z", "id": "CVE-2026-2548", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-17T16:57:35.264Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2548", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-17T16:57:30.664436Z"}}}], "references": [{"url": "https://github.com/glkfc/IoT-Vulnerability/blob/main/wayos/wayos.md", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-17T16:57:24.829Z"}}], "cna": {"title": "WAYOS FBM-220G rc sub_40F820 command injection", "credits": [{"lang": "en", "type": "reporter", "value": "jfkk (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "affected": [{"vendor": "WAYOS", "product": "FBM-220G", "versions": [{"status": "affected", "version": "24.10.19"}]}], "timeline": [{"lang": "en", "time": "2026-02-15T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-02-15T01:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-02-19T00:02:59.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.346157", "name": "VDB-346157 | WAYOS FBM-220G rc sub_40F820 command injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.346157", "name": "VDB-346157 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.749802", "name": "Submit #749802 | WAYOS FBM220G and others 24.10.19 Command Injection", "tags": ["third-party-advisory"]}, {"url": "https://github.com/glkfc/IoT-Vulnerability/blob/main/wayos/wayos.md", "tags": ["related"]}], "descriptions": [{"lang": "en", "value": "A flaw has been found in WAYOS FBM-220G 24.10.19. This affects the function sub_40F820 of the file rc. Executing a manipulation of the argument upnp_waniface/upnp_ssdp_interval/upnp_max_age can lead to command injection. The attack can be executed remotely. The vendor was contacted early about this disclosure but did not respond in any way."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-77", "description": "Command Injection"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-74", "description": "Injection"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-02-23T10:07:54.559Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2548", "state": "PUBLISHED", "dateUpdated": "2026-02-23T10:07:54.559Z", "dateReserved": "2026-02-15T16:03:56.796Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-02-16T09:02:05.796Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw has been found in WAYOS FBM-220G 24.10.19. This affects the function sub_40F820 of the file rc. Executing a manipulation of the argument upnp_waniface/upnp_ssdp_interval/upnp_max_age can lead to command injection. The attack can be executed remotely. The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "es", "value": "Se ha encontrado una vulnerabilidad en WAYOS FBM-220G 24.10.19. Esto afecta a la funci\u00f3n sub_40F820 del archivo rc. La ejecuci\u00f3n de una manipulaci\u00f3n del argumento upnp_waniface/upnp_ssdp_interval/upnp_max_age puede conducir a una inyecci\u00f3n de comandos. El ataque puede ejecutarse de forma remota. Se contact\u00f3 al proveedor con antelaci\u00f3n sobre esta divulgaci\u00f3n, pero no respondi\u00f3 de ninguna manera."}], "id": "CVE-2026-2548", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.1, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-02-16T09:16:08.853", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/glkfc/IoT-Vulnerability/blob/main/wayos/wayos.md"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?ctiid.346157"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?id.346157"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?submit.749802"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/glkfc/IoT-Vulnerability/blob/main/wayos/wayos.md"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-77"}], "source": "cna@vuldb.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "24.10.19"}}], "product": "fbm-220g", "vendor": "wayos"}], "analysis": {"en": {"generated_at": "2026-04-17T19:11:00.839096+00:00", "value": {"mitigation_remediation": ["Apply the latest firmware update from WAYOS that removes the insecure handling in sub_40F820.", "Disable UPnP or restrict access to the upnp_waniface, upnp_ssdp_interval, and upnp_max_age parameters through network ACLs or device configuration.", "Configure firewalls or segment the network to limit exposure of the device\u2019s management interface and monitor for anomalous UPnP activity."], "summary": {"action": "Apply patch", "impact": "Command injection that can lead to remote code execution"}, "threat_synthesis": {"affected_systems": "The affected product is the WAYOS FBM-220G broadband modem. Firmware version 24.10.19 includes the vulnerable sub_40F820 implementation. This version is the only one indicated in the advisory.", "description_and_impact": "This vulnerability is caused by improper input handling in the sub_40F820 routine of the FBM-220G firmware. The routine accepts the parameters upnp_waniface, upnp_ssdp_interval, and upnp_max_age and forwards them directly to the underlying system without validation, resulting in a command injection flaw. An attacker can send crafted values for these parameters over the remote interface, allowing arbitrary shell commands to be executed on the device. The weakness represents a command injection (CWE-77) and command and regular expression injection (CWE-74) vulnerability.", "risk_and_exploitability": "CVSS base score 5.3 indicates moderate severity. The EPSS score of 2% is relatively low but demonstrates that the vulnerability has a tangible likelihood of exploitation in the wild. The attack vector is remote, as the exploit is triggered through the UPnP interface. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Because the flaw allows arbitrary command execution, the potential impact ranges from service disruption to full device compromise if an attacker is able to use downstream networking functions. The lack of vendor remediation in the advisory further increases the risk for current deployments."}}}}, "created": "2026-02-16T12:01:01.080132+00:00", "updated": "2026-04-17T19:15:26.257755+00:00", "vendors": ["wayos", "wayos$PRODUCT$fbm-220g"]}