PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-57920 Peplink CVE debrief

CVE-2026-57920 is a high-severity vulnerability in Peplink InControl 2, allowing attackers to bypass access-control rules using a semicolon in certain /rest/o/{orgId} endpoints. The vulnerability has a CVSS score of 7.7 and is considered HIGH severity. It was published on June 26, 2026, and last modified on July 2, 2026. The vulnerability affects Peplink InControl 2 versions up to 2.14.2. There is limited information available about the vulnerability, and defenders should exercise caution when assessing and mitigating this vulnerability.

Vendor
Peplink
Product
InControl 2
CVSS
HIGH 7.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-26
Original CVE updated
2026-07-02
Advisory published
2026-06-26
Advisory updated
2026-07-02

Who should care

Organizations using Peplink InControl 2 should prioritize patching this vulnerability to prevent potential attacks. Defenders should review their inventory of Peplink InControl 2 instances and ensure they are running a version patched for this vulnerability. Additionally, defenders should monitor their systems for any suspicious activity related to this vulnerability.

Technical summary

CVE-2026-57920 is a vulnerability in Peplink InControl 2 that allows attackers to bypass access-control rules using a semicolon in certain /rest/o/{orgId} endpoints. The vulnerability has a CVSS vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N. The vulnerability affects Peplink InControl 2 versions up to 2.14.2. There is limited information available about the vulnerability, and defenders should exercise caution when assessing and mitigating this vulnerability. Defenders should review the CVE and NVD records for more information.

Defensive priority

High

Recommended defensive actions

  • Review and apply the patch for Peplink InControl 2 version 2.14.2 or later.
  • Monitor systems for suspicious activity related to this vulnerability.
  • Review inventory of Peplink InControl 2 instances and ensure they are running a patched version.

Evidence notes

The CVE and NVD records provide limited information about the vulnerability. The CVE record notes that the vulnerability allows attackers to bypass access-control rules using a semicolon in certain /rest/o/{orgId} endpoints. The NVD record provides a CVSS vector and notes that the vulnerability affects Peplink InControl 2 versions up to 2.14.2.

Official resources

This article was generated with AI assistance based on the supplied source corpus.