=== CVE-2026-32833 Cudy LT300 3.0 product-path reproduction === Started: 2026-07-06 10:24:08 UTC ROOT=/data/pruva/runs/27c2711b-9848-4ac6-9b8d-cd72c712e4bb/bundle [1/8] Checking runtime tools curl: /usr/bin/curl jq: /usr/bin/jq python3: /usr/bin/python3 unsquashfs: /usr/bin/unsquashfs proot: /usr/bin/proot qemu-mipsel: /usr/bin/qemu-mipsel strings: /usr/bin/strings sha256sum: /usr/bin/sha256sum [2/8] Acquiring Cudy firmware images c414fd3e6310ebcfed27b6fc7eed11c406e2a468c58f2574f4884690b2c7d868 /data/pruva/runs/27c2711b-9848-4ac6-9b8d-cd72c712e4bb/bundle/artifacts/firmware/LT300V3-2.4.5.zip 8d0e515a0e68cefc3658e66d38ca84f69fe1591a5fa8e3abcb9880d170cfaebf /data/pruva/runs/27c2711b-9848-4ac6-9b8d-cd72c712e4bb/bundle/artifacts/firmware/LT300V3-2.5.12.zip [3/8] Extracting firmware root filesystems [4/8] Preparing emulated product roots (environment shims only; original uhttpd/LuCI systime handler is preserved) [5/8] Exercising vulnerable firmware through original HTTP endpoint Starting vuln attempt 1 on port 18111 vuln attempt 1: GET reached original System Time CBI form vuln attempt 1: command execution proof observed: VULN_ATTEMPT_1_COMMAND_EXECUTED Starting vuln attempt 2 on port 18112 vuln attempt 2: GET reached original System Time CBI form vuln attempt 2: command execution proof observed: VULN_ATTEMPT_2_COMMAND_EXECUTED [6/8] Exercising fixed firmware through same original HTTP endpoint as negative control Starting fixed attempt 1 on port 18121 fixed attempt 1: GET reached original System Time CBI form fixed attempt 1: no proof file created (fixed handler rejected/sanitized injection) Starting fixed attempt 2 on port 18122 fixed attempt 2: GET reached original System Time CBI form fixed attempt 2: no proof file created (fixed handler rejected/sanitized injection) [7/8] Summarizing code difference Vulnerable 2.4.5 systime markers: timeclock date -s '%04d-%02d-%02d %02d:%02d:%02d' fork_exec timeclock date -s '%s' fork_exec Fixed 2.5.12 systime markers: timeclock date -s '%04d-%02d-%02d %02d:%02d:%02d' fork_exec date -s '%s' gsub fork_exec Proof summary: vuln attempt 1 proof: VULN_ATTEMPT_1_COMMAND_EXECUTED vuln attempt 2 proof: VULN_ATTEMPT_2_COMMAND_EXECUTED fixed attempt 1 no proof file (negative control passed) fixed attempt 2 no proof file (negative control passed) [8/8] Writing runtime manifest === Reproduction complete: CONFIRMED === See /data/pruva/runs/27c2711b-9848-4ac6-9b8d-cd72c712e4bb/bundle/logs/artifacts/product/proof_summary.txt and HTTP request/response artifacts.