Platform
linux
Component
voltronic-power-snmp-web-pro
Fixed in
1.1.1
CVE-2026-22199 describes a pre-authentication path traversal vulnerability found in Voltronic Power SNMP Web Pro versions 1.1. This flaw allows attackers to read arbitrary files on the device's filesystem without authentication. Successful exploitation could lead to the disclosure of sensitive information, potentially enabling full system compromise. The vulnerability was published on 2026-03-13 and a fix is available in version 7.6.47.
The path traversal vulnerability in Voltronic Power SNMP Web Pro allows unauthenticated attackers to bypass access controls and read any file accessible to the web server process. By crafting malicious requests to the upload.cgi endpoint with carefully constructed directory traversal sequences in the params parameter, an attacker can navigate the filesystem and retrieve sensitive files. The most critical impact is the potential exposure of password hashes, which, if obtained, could be cracked offline to gain root-level access to the device. This could lead to complete system compromise, including configuration changes, data theft, and the deployment of malicious software.
CVE-2026-22199 is not currently listed on the CISA KEV catalog. The EPSS score is likely to be medium, given the pre-authentication nature of the vulnerability and the potential for sensitive data disclosure. Public proof-of-concept exploits are not yet widely available, but the ease of exploitation suggests they are likely to emerge. The vulnerability was publicly disclosed on 2026-03-13.
Exploit Status
EPSS
0.04% (10% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-22199 is to upgrade Voltronic Power SNMP Web Pro to version 7.6.47 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds such as restricting access to the upload.cgi endpoint using a firewall or web application proxy. Configure the proxy to block requests containing directory traversal sequences (e.g., ../, ..\). Monitor system logs for suspicious activity related to file access attempts. After upgrading, confirm the fix by attempting to access arbitrary files via the upload.cgi endpoint; access should be denied.
Update the device to a patched version provided by Voltronic Power. Check the official Voltronic Power website or contact their technical support for information on available updates. As a temporary measure, disable the file upload functionality until an update can be applied.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-22199 is a vulnerability allowing unauthenticated attackers to read arbitrary files on Voltronic Power SNMP Web Pro version 1.1, potentially exposing sensitive data like password hashes.
You are affected if you are using Voltronic Power SNMP Web Pro version 1.1. Upgrade to version 7.6.47 or later to mitigate the risk.
Upgrade to version 7.6.47 or later. As a temporary workaround, restrict access to the upload.cgi endpoint using a firewall or proxy.
While no active exploitation has been confirmed, the ease of exploitation suggests it is likely to be targeted.
Refer to the Voltronic Power website for the official advisory and further details regarding this vulnerability.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.