Cellopoint CelloOS - Remote Command Execution (RCE)
Description
Cellopoint CelloOS v4.1.10 Build 20190922 does not validate URL inputted properly. With the cookie of the system administrator, attackers can inject and remotely execute arbitrary command to manipulate the system.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cellopoint CelloOS v4.1.10 Build 20190922 lacks input validation, enabling admin cookie holders to inject and execute arbitrary commands remotely.
Vulnerability
Cellopoint CelloOS v4.1.10 Build 20190922 fails to properly validate URL input. A specific parameter does not filter malicious content, allowing command injection. This vulnerability affects CelloOS v4.1.10 Build 20190922 only [1].
Exploitation
An attacker must obtain the cookie of a system administrator (e.g., through session theft). With this cookie, the attacker sends a crafted request containing an injected command in the vulnerable parameter. No user interaction is required beyond the initial cookie compromise [1].
Impact
Successful exploitation grants remote code execution (RCE) with the privileges of the web server, typically root or system-level access. The attacker can fully compromise the affected system, including data theft, modification, and further network attacks [1].
Mitigation
Cellopoint released a fix in CelloOS v4.1.10 Build 20200210. Administrators should update to this version or later immediately. No workarounds are documented [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2= v4.1.10 Build 20190922+ 1 more
- (no CPE)range: = v4.1.10 Build 20190922
- (no CPE)range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- www.twcert.org.tw/tw/cp-132-3845-be6bf-1.htmlmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.