CVE-2022-50909

HIGH

Algo 8028 Control Panel <3.3.3 - Command Injection

Title source: llm

Description

Algo 8028 Control Panel version 3.3.3 contains a command injection vulnerability in the fm-data.lua endpoint that allows authenticated attackers to execute arbitrary commands. Attackers can exploit the insecure 'source' parameter by injecting commands that are executed with root privileges, enabling remote code execution through a crafted POST request.

Exploits (1)

exploitdb WORKING POC

by Filip Carlsson · pythonremotehardware

https://www.exploit-db.com/exploits/50960

View Code ZIP pw:eip

References (4)

[Various Sources] https://www.algosolutions.com/firmware-downloads/8028-firmware-selection/

[Various Sources] https://www.algosolutions.com/

[Exploit, Third Party Advisory] https://www.exploit-db.com/exploits/50960

[Third Party Advisory] https://www.vulncheck.com/advisories/algo-control-panel-remote-code-execution-rce-authenticated

Scores

CVSS v3 8.8

EPSS 0.0034

EPSS Percentile 56.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-78

Status published

Products (1)

Algo Solutions/Algo 8028 3.3.3

Published Jan 13, 2026

Tracked Since Feb 18, 2026