CVE-2026-36828

Vulnerability

A command injection vulnerability exists in the /cgi-bin/tools/ajax_cmd endpoint of Panabit PAP-XM320 up to and including version v7.7 [1]. The CGI component insufficiently sanitizes user-supplied input when handling the action=runcmd parameter, allowing authenticated users to inject arbitrary operating system commands.

Exploitation

An attacker must first authenticate to the Panabit web interface. Once authenticated, they can send a crafted HTTP request to /cgi-bin/tools/ajax_cmd with action=runcmd and a malicious payload appended to the command parameter. No special network position is required beyond network access to the management interface, and no user interaction beyond the attacker's own browser session is needed.

Impact

Successful exploitation allows an authenticated attacker to execute arbitrary shell commands with root privileges on the affected device. This results in full compromise of the confidentiality, integrity, and availability of the system, including the ability to read or modify any file, install persistent backdoors, or disrupt network operations.

Mitigation

Panabit has not yet released a fixed version for PAP-XM320 at the time of publication [1]. Users should restrict network access to the management interface to trusted administrators only and monitor for unauthorized activity. The vendor page [1] should be consulted for future patch availability.