Skip to main content
Mallory
Back to vulnerabilities
CriticalPublic exploit

Command Injection in LB-LINK Multiple Routers /goform/set_LimitClient_cfg

IdentifiersCVE-2023-26801CWE-77· Improper Neutralization of Special…

CVE-2023-26801 is a critical OS command injection vulnerability affecting LB-LINK BL-AC1900_2.0 v1.0.1, BL-WR9000 v2.4.9, BL-X26 v1.2.5, and BL-LTE300 v1.0.8. The flaw is present in the /goform/set_LimitClient_cfg endpoint, where the mac, time1, and time2 parameters are not properly neutralized before being used in command execution context. A remote attacker can send a crafted HTTP POST request to this endpoint and inject shell metacharacters or commands, resulting in arbitrary command execution on the device. Supporting reporting indicates the vulnerability has been used in the wild to download and execute botnet payloads, including Mirai-family malware.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can lead to full compromise of the affected router, consistent with the CVSS 3.1 assessment of high confidentiality, integrity, and availability impact. An attacker can execute arbitrary system commands, retrieve and run secondary payloads, alter device configuration, disrupt routing or network services, and conscript the device into a botnet for follow-on activity such as DDoS, scanning, or further propagation. CISA enrichment indicates the technical impact is total.

Mitigation

If you can’t patch tonight, do this now.

Restrict access to the router management interface and the /goform/set_LimitClient_cfg endpoint from untrusted networks, especially the public Internet. Place administrative interfaces behind VPN or trusted management networks, enforce network ACLs/firewall rules to limit reachability, disable remote administration if not required, and continuously monitor for suspicious POST requests to /goform/set_LimitClient_cfg and for outbound retrieval of scripts/binaries indicative of botnet staging. Where patching is not immediately possible, isolate affected devices and consider replacement due to active exploitation.

Remediation

Patch, then assume compromise.

Upgrade to a vendor-fixed firmware version if one is available for the affected LB-LINK models. If official patched firmware is not available, replace affected devices with supported hardware. Because this vulnerability has public exploit material and observed in-the-wild exploitation, exposed vulnerable devices should be treated as potentially compromised; after patching or replacement, perform credential rotation, review configuration integrity, and reimage or factory-reset/reprovision devices as appropriate before returning them to service.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
Lb-LinkBl-Ac1900 Firmwareoperating_system
Lb-LinkBl-Lte300 Firmwareoperating_system
Lb-LinkBl-Wr9000 Firmwareoperating_system
Lb-LinkBl-X26 Firmwareoperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

10 SOURCESView more in app
vulncheck blogNews
Jan 30, 2026
SiftRanking Canary Intelligence | Blog | VulnCheck

Remote command execution via crafted HTTP POST parameter injection against the /goform/set_LimitClient_cfg endpoint, used to download and execute a malicious script from external infrastructure.

Read more
securityaffairsNews
Oct 10, 2025
RondoDox Botnet targets 56 flaws across 30+ device types worldwide

A command injection vulnerability in LB-LINK routers, exploited by RondoDox.

Read more
bleeping computerNews
Oct 9, 2025
RondoDox botnet targets 56 n-day flaws in worldwide attacks

A vulnerability in LB-LINK devices exploited by the RondoDox botnet.

Read more
akamai blogNews
Jan 28, 2025
Active Exploitation: New Aquabot Variant Phones Home | Akamai

A vulnerability explicitly observed being targeted by the Aquabot botnet for malware propagation.

Read more
+4 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware4

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity2

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2023-26801
NVD
nvd.nist.gov/vuln/detail/CVE-2023-26801
MITRE CWE · CWE-77
Improper Neutralization of Special Elements…
Third Party Advisory
github.com/winmt/my-vuls/tree/main/LB-LINK%20BL-AC1900%2C%20BL-WR9000%2C%20BL-X26%20and%20BL-LTE300%20Wireless%20Routers
akamai.com
akamai.com/blog/security-research/cve-2023-26801-exploited-spreading-mirai-botnet