CVE Catalog

CVE-2026-30603

MediumCVSS 6.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.12%

2th percentile - higher than 2% of all known CVEs

Summary

A vulnerability in the firmware update mechanism of Qianniao QN-L23PA0904 v20250721.1640 allows attackers to gain root access, install backdoors, and exfiltrate data by supplying a crafted iu.sh script contained on an SD card.

Risk Assessment

The organization is at risk of complete device compromise, leading to data confidentiality, integrity, and availability breaches, as well as potential lateral movement within the internal network.

Recommendation

Immediately disable the execution of scripts from SD cards during the update process and enforce digital signing of firmware updates.

Original NVD description (English source)

An issue in the firmware update mechanism of Qianniao QN-L23PA0904 v20250721.1640 allows attackers to gain root access, install backdoors, and exfiltrate data via supplying a crafted iu.sh script contained in an SD card.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS