| TVN ID | TVN-202601007 |
|---|---|
| CVE ID | CVE-2026-1221, CVE-2026-1222, CVE-2026-1223 |
| CVSS | CVE-2026-1221: 9.8 (Critical) CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2026-1222: 7.2 (High) CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2026-1223: 4.9 (Medium) CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N |
| Affected Products | PrismX MX100 AP controller before version 1.03.23.01 |
| Description | CVE-2026-1221: PrismX MX100 AP controller has a Use of Hard-coded Credentials vulnerability, allowing unauthenticated remote attackers to log in to the database using hardcoded database credentials stored in the firmware. CVE-2026-1222: PrismX MX100 AP controller has an Arbitrary File Upload vulnerability, allowing privileged remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server. CVE-2026-1223: PrismX MX100 AP controller has an Insufficiently Protected Credentials vulnerability, allowing privileged remote attackers to allowing authenticated remote attackers to obtain SMTP plaintext passwords through the web frontend. |
| Solution | Update firmware to version v1.03.23.01 or later. |
| Credit | Alvin Lee ,legendyang (Yoni Yang) ,yeyoumeng(ICEDTEA) |
| Public Date | 2026-01-20 |
:::