{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-30603", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-02T17:57:43.296Z", "dateReserved": "2026-03-04T00:00:00.000Z", "datePublished": "2026-04-02T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-02T16:22:58.644Z"}, "descriptions": [{"lang": "en", "value": "An issue in the firmware update mechanism of Qianniao QN-L23PA0904 v20250721.1640 allows attackers to gain root access, install backdoors, and exfiltrate data via supplying a crafted iu.sh script contained in an SD card."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "http://qianniao.com"}, {"url": "http://qn-l23pa0904.com"}, {"url": "https://github.com/0xghostrush/Research/blob/main/CVE-2026-30603/CVE-2026-30603.md"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-494", "lang": "en", "description": "CWE-494 Download of Code Without Integrity Check"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-345", "lang": "en", "description": "CWE-345 Insufficient Verification of Data Authenticity"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.8, "attackVector": "PHYSICAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-02T17:57:03.451229Z", "id": "CVE-2026-30603", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T17:57:43.296Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.8, "attackVector": "PHYSICAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-30603", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-02T17:57:03.451229Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-494", "description": "CWE-494 Download of Code Without Integrity Check"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-345", "description": "CWE-345 Insufficient Verification of Data Authenticity"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T17:54:17.342Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "http://qianniao.com"}, {"url": "http://qn-l23pa0904.com"}, {"url": "https://github.com/0xghostrush/Research/blob/main/CVE-2026-30603/CVE-2026-30603.md"}], "descriptions": [{"lang": "en", "value": "An issue in the firmware update mechanism of Qianniao QN-L23PA0904 v20250721.1640 allows attackers to gain root access, install backdoors, and exfiltrate data via supplying a crafted iu.sh script contained in an SD card."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-02T16:22:58.644Z"}}}, "cveMetadata": {"cveId": "CVE-2026-30603", "state": "PUBLISHED", "dateUpdated": "2026-04-02T17:57:43.296Z", "dateReserved": "2026-03-04T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-02T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "An issue in the firmware update mechanism of Qianniao QN-L23PA0904 v20250721.1640 allows attackers to gain root access, install backdoors, and exfiltrate data via supplying a crafted iu.sh script contained in an SD card."}], "id": "CVE-2026-30603", "lastModified": "2026-04-02T18:16:27.553", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-02T17:16:22.287", "references": [{"source": "cve@mitre.org", "url": "http://qianniao.com"}, {"source": "cve@mitre.org", "url": "http://qn-l23pa0904.com"}, {"source": "cve@mitre.org", "url": "https://github.com/0xghostrush/Research/blob/main/CVE-2026-30603/CVE-2026-30603.md"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-345"}, {"lang": "en", "value": "CWE-494"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,20250721.1640]"}}], "enrichment": {"confidence": 90.0, "confidence_source": "inferred", "scores": [{"score": 90.0, "source": "inferred"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "qn-l23pa0904", "vendor": "qianniao"}], "analysis": {"en": {"generated_at": "2026-04-02T22:38:33.193440+00:00", "value": {"mitigation_remediation": ["Upgrade the device to the latest official firmware from Qianniao, which resolves the update validation issue.", "Verify the integrity of any SD card used for firmware updates and avoid using untrusted media.", "Enforce script signing or integrity checks for all firmware update scripts before execution.", "Monitor system logs for unexpected execution of iu.sh or similar scripts.", "Implement network segmentation and device hardening to limit lateral movement after compromise."], "summary": {"action": "Patch Now", "impact": "Root Access"}, "threat_synthesis": {"affected_systems": "Qianniao QN\u2011L23PA0904 devices running firmware version v20250721.1640 are affected; no other vendors or models are listed.", "description_and_impact": "The flaw lies in the firmware update process of the Qianniao QN\u2011L23PA0904, where the system accepts a custom iu.sh script from an SD card without proper validation. This permits arbitrary execution with system root privileges, enabling the attacker to install backdoors and exfiltrate sensitive data. The weakness is a form of improper input validation and missing authentication, as reflected by CWE\u2011345 and CWE\u2011494.", "risk_and_exploitability": "The CVSS score of 6.8 indicates moderate severity. EPSS information is unavailable, and the vulnerability is not listed in the CISA KEV catalog, suggesting limited or no known commercial exploitation. The attack vector is local and requires physical insertion of an SD card containing a malicious iu.sh script; once executed, the attacker gains full root access, compromising confidentiality, integrity, and availability of the device."}}}}, "created": "2026-04-03T08:58:20.645899+00:00", "title": "Root Access via Crafted Firmware Update Script on Qianniao QN-L23PA0904", "updated": "2026-04-03T09:19:00.309797+00:00", "vendors": ["qianniao", "qianniao$PRODUCT$qn-l23pa0904"]}