Full Report
CERT Polska has received a report about 3 vulnerabilities (from CVE-2026-40455 to CVE-2026-40457) found in LMS (LAN Management System) software.
Analysis Summary
# Vulnerability: Multiple Vulnerabilities in LMS (LAN Management System)
## CVE Details
- **CVE ID:** CVE-2026-40455
- **CVSS Score:** Not explicitly provided (Estimated: High)
- **CWE:** CWE-89 (SQL Injection)
- **CVE ID:** CVE-2026-40456
- **CVSS Score:** Not explicitly provided (Estimated: Critical)
- **CWE:** CWE-78 (OS Command Injection)
- **CVE ID:** CVE-2026-40457
- **CVSS Score:** Not explicitly provided (Estimated: Medium)
- **CWE:** CWE-79 (Reflected Cross-Site Scripting)
## Affected Systems
- **Products:** LMS (LAN Management System)
- **Versions:** All versions prior to specific security commits:
- Below commit `4cb30a7` (SQLi)
- Below commit `9fcb4de` (Command Injection)
- Below commit `9c5651b` (XSS)
- **Configurations:**
- For CVE-2026-40455: Requires an authenticated user session.
- For CVE-2026-40457: Requires a network to be defined within the system for the payload to trigger.
## Vulnerability Description
- **CVE-2026-40455:** Within the `tarifflist.php` module, the application fails to sanitize the `tg[]` POST parameter. It uses a PHP `implode()` function to concatenate user-supplied array values directly into an SQL query, facilitating Error-Based SQL injection.
- **CVE-2026-40456:** The application passes an IP address parameter directly to the PHP `exec()` function without adequate validation. This allows a remote attacker to chain commands and execute arbitrary code at the OS level.
- **CVE-2026-40457:** The `dbrecover.php` and `netremap.php` modules embed unsanitized GET parameters directly into the HTML output, allowing for the execution of arbitrary JavaScript in the context of an authenticated user's browser.
## Exploitation
- **Status:** PoC details described in advisory; no reports of exploitation in the wild mentioned.
- **Complexity:** Low to Medium
- **Attack Vector:** Network
## Impact
- **Confidentiality:** High (Full database extraction and OS file access possible)
- **Integrity:** High (Unauthorized database modification and OS command execution)
- **Availability:** High (Potential for system takeover or service disruption)
## Remediation
### Patches
Users should update their LMS installation to include the following commits (or the latest stable release containing them):
- **SQL Injection fix:** Commit `4cb30a7`
- **OS Command Injection fix:** Commit `9fcb4de`
- **XSS fix:** Commit `9c5651b`
### Workarounds
- Restrict access to the LMS management interface to trusted IP addresses only.
- Ensure the principle of least privilege is applied to the web server user and database user.
## Detection
- **Indicators of Compromise:**
- Monitor web logs for suspicious SQL syntax in the `tg[]` parameter on `tarifflist.php`.
- Audit system logs for unexpected shell commands or processes spawned by the web server user.
- Check for unusual GET parameters containing `<script>` tags in `dbrecover.php` and `netremap.php`.
## References
- CERT Polska Advisory: [https://cert.pl/en/posts/2026/06/vulnerabilities-in-lms-software/](https://cert.pl/en/posts/2026/06/vulnerabilities-in-lms-software/)
- CVE-2026-40455: [https://www.cve.org/CVERecord?id=CVE-2026-40455](https://www.cve.org/CVERecord?id=CVE-2026-40455)
- CVE-2026-40456: [https://www.cve.org/CVERecord?id=CVE-2026-40456](https://www.cve.org/CVERecord?id=CVE-2026-40456)
- CVE-2026-40457: [https://www.cve.org/CVERecord?id=CVE-2026-40457](https://www.cve.org/CVERecord?id=CVE-2026-40457)