EIP-2026-102449

PRE-CVE

Untangle NGFW 12.1.0 Beta - 'execEvil()' Command Injection

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-102449. PoCs published by Matt Bush.

AI-analyzed exploit summary This exploit leverages an authenticated command injection vulnerability in Untangle NGFW's JSON-RPC interface, specifically targeting the `execEvil()` method in the `execManager` object to achieve root-level remote code execution. It authenticates, retrieves a nonce and objectID, then sends a malicious payload to execute a reverse shell.

Description

Untangle NGFW 12.1.0 Beta - 'execEvil()' Command Injection

Exploits (1)

exploitdb WORKING POC

by Matt Bush · pythonwebappsjson

https://www.exploit-db.com/exploits/40030

View Code ZIP pw:eip

This exploit leverages an authenticated command injection vulnerability in Untangle NGFW's JSON-RPC interface, specifically targeting the `execEvil()` method in the `execManager` object to achieve root-level remote code execution. It authenticates, retrieves a nonce and objectID, then sends a malicious payload to execute a reverse shell.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Untangle NGFW <= v12.1.0 beta

Auth required

Prerequisites: Valid credentials for Untangle NGFW · Network access to the target · Listener set up for reverse shell

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026