CVE-2026-7674
Published: 03 May 2026
Description
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Security Summary
CVE-2026-7674 is a buffer overflow vulnerability (CWE-119, CWE-120) affecting the start_single_service function in the Web Management Interface of Shenzhen Libituo Technology's LBT-T300-HW1 device firmware, versions up to 1.2.8. The flaw is triggered by manipulating the vpn_pptp_server or vpn_l2tp_server arguments, allowing remote exploitation. Published on 2026-05-03, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
An attacker with low privileges, such as an authenticated user on the Web Management Interface, can remotely exploit this vulnerability without user interaction. Successful exploitation leads to a buffer overflow, potentially enabling arbitrary code execution, data compromise, or denial of service due to the high impacts on confidentiality, integrity, and availability.
No vendor response or patches were provided despite early disclosure contact, as noted in the advisory. Mitigation details are absent from available sources; practitioners should restrict access to the Web Management Interface, monitor for anomalous VPN configuration attempts, and consider device replacement. Key references include a GitHub proof-of-concept at https://github.com/hmKunlun/lbt-t300-hw1/blob/main/reselov_vpn_server%EF%BC%88vpn_pptp_server%EF%BC%89.md and VulDB entries at https://vuldb.com/vuln/360827.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Buffer overflow in web management interface allows remote exploitation by low-privilege authenticated users to achieve arbitrary code execution, directly mapping to exploitation of public-facing applications (T1190) and exploitation for privilege escalation (T1068).