CVE-2026-22103
EVbee · DC-80
The EVbee DC-80 web server contains a command injection vulnerability in the NPC start endpoint on port 8090, enabling unauthenticated remote code execution.
Executive summary
The EVbee DC-80 is susceptible to a critical command injection vulnerability that permits unauthenticated remote attackers to execute arbitrary system commands.
Vulnerability
This vulnerability (CWE-77) stems from improper neutralization of special elements used in a command within the NPC start endpoint. An unauthenticated attacker can interact with the service on port 8090 to inject and execute arbitrary commands with the privileges of the web application.
Business impact
The ability to execute arbitrary commands on the target device allows for full system compromise, data theft, and the potential for the device to be used as a pivot point for further network attacks. With a CVSS score of 9.3, this flaw poses an extreme risk to the security posture of the infrastructure hosting the affected units.
Remediation
Immediate Action: Update the EVbee DC-80 firmware to version 1.5.1 or later immediately.
Proactive Monitoring: Monitor network traffic for anomalous command patterns directed at port 8090 and audit system logs for unexpected process execution.
Compensating Controls: Use network segmentation to isolate the DC-80 management interfaces from public-facing networks and implement strict firewall rules to limit access to port 8090.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
The severity of this command injection vulnerability cannot be overstated, as it allows unauthenticated attackers to hijack the device completely. Immediate patching to version 1.5.1 is required to secure the device against potential exploitation.