CVE-2026-36828
Panabit · PAP-XM320
The Panabit PAP-XM320 contains a command injection vulnerability in the /cgi-bin/tools/ajax_cmd endpoint, allowing for unauthorized remote code execution.
Executive summary
A critical command injection vulnerability in the Panabit PAP-XM320 appliance allows unauthenticated attackers to execute arbitrary system commands, posing a severe threat to network infrastructure.
Vulnerability
This is a command injection vulnerability residing in the /cgi-bin/tools/ajax_cmd endpoint. The vulnerability allows an attacker to inject and execute arbitrary system-level commands, likely without requiring authentication.
Business impact
The ability to inject commands into a network appliance typically grants an attacker full control over the affected device. With a CVSS score of 8.8, this vulnerability poses an extreme risk, including complete system compromise, lateral movement within the network, and potential interception of sensitive traffic.
Remediation
Immediate Action: Apply vendor-supplied security patches or firmware updates immediately. Restrict network access to the management interface to trusted IP addresses only.
Proactive Monitoring: Monitor device logs for anomalous command execution or unauthorized access attempts to the /cgi-bin/tools/ directory. Check for unexpected outbound network connections originating from the appliance.
Compensating Controls: Utilize a firewall to block all external access to the appliance's management interface. Use an Intrusion Detection System (IDS) to monitor for command injection signatures in HTTP requests.
Exploitation status
Public Exploit Available: false
Analyst recommendation
This vulnerability represents a significant threat to internal security and should be treated with the highest urgency. Administrators must verify firmware status and restrict administrative access immediately to mitigate the risk of remote code execution.