HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-35906Published Modified CNA mitre

CVE-2026-35906: An undocumented debug CGI endpoint in T3 Technology CPE models T625Pro v1

An undocumented debug CGI endpoint in T3 Technology CPE models T625Pro v1.0.07, T6825G v1.0.03 allows unauthenticated attackers to execute arbitrary system commands as root via supplying a crafted HTTP query string.

Metrics

CVSS v3.1
9.6
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is an unauthenticated remote command execution vulnerability in T3 Technology CPE devices (T625Pro v1.0.07 and T6825G v1.0.03), triggered by sending a crafted HTTP request to an undocumented debug CGI endpoint exposed on the network. The attack requires no credentials and only needs the victim to interact in some way (per the CVSS vector), and successful exploitation gives the attacker arbitrary command execution as root, with full read, write, and availability impact that can extend beyond the vulnerable device itself (scope is changed). No fix version has been published; HarborGuard tracks this advisory and will make a patched-image rebuild available the moment upstream ships a fix.

HarborGuard Coverage

Detection

Detection for CVE-2026-35906 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images that bundle affected T3 Technology firmware or management tooling.

Available
Triage

HarborGuard is capable of scoring this CVE at its published CVSS v3.1 rating of 9.6 (Critical) and weighting that score against each customer organization's compliance policy to determine urgency and routing, directing findings to the appropriate team inbox within each customer org.

Available
Patch

Because no fix version has been published, HarborGuard re-checks this advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. In the interim, the advisory remains open and visible in each customer's finding queue so security teams can apply compensating controls without waiting for a manual re-scan.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the device's HTTP service over the network; the debug CGI endpoint is exposed remotely, making internet- or LAN-accessible deployments directly at risk.

  • AuthenticationNot required

    No credentials are needed; the debug endpoint accepts unauthenticated requests and processes the crafted query string without any login check.

  • Victim interactionRequired

    The CVSS vector specifies UI:R, meaning some form of user interaction is required to trigger the exploit, such as a victim browsing to a crafted URL or clicking an attacker-supplied link.

  • Attack complexityDetail

    Attack complexity is Low, meaning the exploit is reliable and imposes no special environmental conditions, race timing, or memory layout requirements on the attacker.

Blast Radius

  • A successful attacker executes arbitrary operating system commands as root on the affected CPE device, gaining complete control of the underlying system.
  • With root access, the attacker reads all stored configuration, credentials, and any secrets held on the device.
  • The attacker can modify device configuration, routing rules, or firmware, enabling persistent access or lateral movement into the adjacent network.
  • Because scope is changed in the CVSS vector, impact can extend beyond the CPE itself to downstream systems and network segments the device routes or bridges.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for CVE-2026-35906 as of publication, HarborGuard continuously re-checks the advisory on every ingest cycle and will trigger a patched-image rebuild automatically once T3 Technology publishes a remediated firmware or package version. Until then, customers are encouraged to use HarborGuard's network-policy controls to isolate affected devices or container workloads from untrusted network paths, apply egress filtering to prevent outbound command-and-control in the event of compromise, and use feature-flag or deployment-policy gating to block promotion of images containing affected versions into production. The CVE appears at Critical severity in each customer's finding queue for immediate triage. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will be initiated without manual intervention the moment an upstream fix is available.

See how HarborGuard automates this
Affected packages
  • n/a / n/a
    n/a
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
References