External risk intelligence

Generic OEM UZ801 Router Remote Code Execution via Web API

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-52200

The vulnerability affects a 4G LTE router and resides in the web management API, which is a network-exposed service typically managed via a web interface. Such devices are frequently deployed at the network edge, making the management interface a common target for remote access.

Code Injection

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified in a specific type of 4G LTE router's web management interface, potentially allowing remote attackers to execute arbitrary code. While the direct business impact requires further assessment of product usage and exposure, this type of flaw can represent a significant security risk if unaddressed.

  • Remote code execution in router management.
  • Network edge devices are common targets.
  • Confirm relevance and exposure promptly.

Attack Path

How an attacker could exploit the issue

An attacker can reach this vulnerability without any special access by targeting the router's web management API over the network. This API, exposed via the `/ajax` endpoint within MifiService.apk, is a prime target for remote code execution. When this vulnerability is successfully triggered, it can lead to the compromise of the device.

  • No authentication required.
  • Triggered via web management API.
  • Allows remote code execution.

Live Threat

Current exploitation, exposure, and threat context

A remote attacker could potentially execute arbitrary code on the affected router by exploiting a vulnerability in its web management API. This could allow them to take control of the device's network functions and any connected systems.

  • Router system control at risk.
  • Via a network-accessible API endpoint.
  • Compromised network access and device function.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability affects a 4G LTE router's web management API, likely managed by network or security teams responsible for edge devices. The first practical step is to identify all instances of this router, assess their network exposure and business criticality, and then coordinate with the accountable owner for remediation, which may involve vendor engagement.

  • Network/Security teams own the issue.
  • Verify external access to router management.
  • Plan vendor coordination for fixes.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the Generic OEM UZ801 router?

The UZ801_v2.1 is a 4G LTE cellular router used to provide network connectivity, often serving as a gateway for internet access in remote locations or mobile environments. This hardware includes a service component named MifiService.apk, which hosts a web-based management interface. This interface allows administrators to configure network settings, monitor traffic, and manage device functions through a browser-based dashboard.

What does CWE-94 mean for CVE-2026-52200?

CVE-2026-52200 is classified under CWE-94, which stands for Improper Control of Generation of Code. In plain terms, this means the software incorrectly handles data sent by a user and inadvertently allows that data to be executed as a command. Because of this flaw, the router's web management API processes unexpected inputs in a way that lets an attacker run their own unauthorized instructions directly on the device's operating system.

How can an attacker trigger this vulnerability?

An attacker triggers this flaw by sending specifically crafted requests to the /ajax endpoint within the router's management software. No prior authentication, password, or physical access to the device is required to initiate the attack. It is important to note that sending standard, legitimate administrative traffic to the router does not trigger the bug; it requires malicious input designed to exploit the underlying code generation flaw.

Is my device at risk based on Halo Surface Signal?

Yes, if you use this router, your risk is significant. Halo Surface Signal identifies this as a 'Likely' concern because the affected web management interface is typically intended to be network-accessible. Since these routers are often deployed at the network edge to facilitate connectivity, their management portals are frequently reachable over the internet, providing a direct path for attackers to interact with the vulnerable API remotely.

What should I do if I use this router?

Your first priority is to locate all UZ801 units within your infrastructure. Check if the web management interface is accessible from the public internet; if it is, consider restricting access to trusted internal networks immediately. Once you have identified the affected hardware, reach out to your hardware vendor or OEM supplier to determine if a firmware update or security patch is available to resolve the issue.

References