Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to vulnerabilities
CriticalPublic exploit

Command Injection in LB-LINK /goform/set_LimitClient_cfg

IdentifiersCVE-2023-26801CWE-77· Improper Neutralization of Special…

CVE-2023-26801 is a critical OS command injection vulnerability affecting multiple LB-LINK router firmware versions: BL-AC1900_2.0 v1.0.1, BL-WR9000 v2.4.9, BL-X26 v1.2.5, and BL-LTE300 v1.0.8. The flaw is present in the /goform/set_LimitClient_cfg HTTP endpoint, where the mac, time1, and time2 parameters are not properly neutralized before being used in command execution context. A remote attacker can send a crafted HTTP POST request to inject shell metacharacters or appended commands via these parameters, resulting in arbitrary command execution on the device. Supporting reporting indicates the vulnerability has been observed in botnet exploitation chains used to download and execute Mirai-family payloads.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can result in full compromise of the affected router. Because the issue enables arbitrary command execution and is remotely reachable without authentication or user interaction, an attacker can execute system commands with the privileges of the vulnerable web service, which on embedded router platforms commonly yields complete device control. This can lead to theft or modification of configuration and traffic data, installation of malware, enrollment of the device into a botnet, persistence, service disruption, and use of the router as infrastructure for further attacks. Available scoring and enrichment indicate high impact to confidentiality, integrity, and availability, with total technical impact.

Mitigation

If you can’t patch tonight, do this now.

Until remediation is completed, restrict access to the router management interface and specifically to the vulnerable web endpoint from untrusted networks. Disable internet exposure of administrative HTTP/HTTPS services, place management interfaces behind VPN or trusted internal networks only, and enforce network ACLs or firewall rules limiting access to known administrator hosts. Monitor for suspicious POST requests to /goform/set_LimitClient_cfg, especially requests containing shell metacharacters or command strings in mac, time1, or time2 parameters. If exposure cannot be eliminated and no patch exists, the most effective mitigation is device replacement.

Remediation

Patch, then assume compromise.

Upgrade affected LB-LINK devices to a vendor-fixed firmware version if one is available from LB-LINK. If no patched firmware is available for a given model or the device is end-of-life, replace the device with supported hardware. Review vendor advisories and firmware release notes specifically for fixes to /goform/set_LimitClient_cfg command injection handling. After patching or replacement, audit devices for signs of compromise, including unexpected processes, modified startup scripts, unknown outbound connections, and unauthorized configuration changes, because exploitation has been publicly documented and observed in the wild.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
Lb-LinkBl-Ac1900 Firmwareoperating_system
Lb-LinkBl-Lte300 Firmwareoperating_system
Lb-LinkBl-Wr9000 Firmwareoperating_system
Lb-LinkBl-X26 Firmwareoperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

11 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

11 SOURCESView more in app
handlers diary fullNews
Jun 25, 2026
What do Ports Hear When Nobody's Listening? An Assessment of Automated Cybercrime [Guest Diary]

A command injection vulnerability in LB-LINK devices reachable via /goform/set_LimitClient_cfg that RondoDox targeted in consumer router exploitation.

Read more
vulncheck blogNews
Jan 30, 2026
SiftRanking Canary Intelligence | Blog | VulnCheck

Remote command execution via crafted HTTP POST parameter injection against the /goform/set_LimitClient_cfg endpoint, used to download and execute a malicious script from external infrastructure.

Read more
securityaffairsNews
Oct 10, 2025
RondoDox Botnet targets 56 flaws across 30+ device types worldwide

A command injection vulnerability in LB-LINK routers, exploited by RondoDox.

Read more
bleeping computerNews
Oct 9, 2025
RondoDox botnet targets 56 n-day flaws in worldwide attacks

A vulnerability in LB-LINK devices exploited by the RondoDox botnet.

Read more
+5 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware5

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity2

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2023-26801
NVD
nvd.nist.gov/vuln/detail/CVE-2023-26801
MITRE CWE · CWE-77
Improper Neutralization of Special Elements…
Third Party Advisory
github.com/winmt/my-vuls/tree/main/LB-LINK%20BL-AC1900%2C%20BL-WR9000%2C%20BL-X26%20and%20BL-LTE300%20Wireless%20Routers
akamai.com
akamai.com/blog/security-research/cve-2023-26801-exploited-spreading-mirai-botnet