{
  "entrypoint_kind": "endpoint",
  "entrypoint_detail": "HTTP JSON-RPC POST /cgi-bin/luci/rpc/app method system.setclock, reaching luci.apprpc.system.setclock",
  "service_started": true,
  "healthcheck_passed": true,
  "target_path_reached": true,
  "runtime_stack": [
    "Cudy LT300 firmware rootfs",
    "uhttpd",
    "LuCI RPC controller",
    "luci.jsonrpc",
    "luci.app",
    "luci.apprpc.system.setclock",
    "qemu-mipsel",
    "proot"
  ],
  "tested_versions": {
    "vulnerable": "2.4.5-20250519-131314",
    "fixed": "2.5.12-20260518-234632"
  },
  "proof_artifacts": [
    "logs/vuln_variant/reproduction_steps.log",
    "logs/vuln_variant/http/vuln_rpc_request.json",
    "logs/vuln_variant/http/vuln_rpc_response_headers.txt",
    "logs/vuln_variant/http/vuln_rpc_response_body.txt",
    "logs/vuln_variant/http/fixed_rpc_request.json",
    "logs/vuln_variant/http/fixed_rpc_response_headers.txt",
    "logs/vuln_variant/http/fixed_rpc_response_body.txt",
    "logs/vuln_variant/product/code_identity.txt",
    "logs/vuln_variant/product/proof_summary.txt"
  ],
  "exploit_status": "alternate_trigger_not_bypass",
  "notes": "The JSON-RPC /cgi-bin/luci/rpc/app method system.setclock is a distinct HTTP entrypoint to the same date -s shell sink and executes on 2.4.5; the same payload does not execute on fixed 2.5.12 because the fixed apprpc/system.lua also applies quote sanitization."
}
