{
  "variant_id": "CVE-2026-32833-pruva-variant-jsonrpc-setclock",
  "created_at": "2026-07-06T10:43:00Z",
  "variant_summary": "Alternate vulnerable-version trigger via authenticated LuCI JSON-RPC /cgi-bin/luci/rpc/app method system.setclock reaching luci.apprpc.system.lua date -s shell sink; fixed 2.5.12 blocks the payload, so this is not a fixed-version bypass.",
  "relation": "newer_version_sibling",
  "origin_kind": "pruva_variant",
  "repository": "vendor-firmware:Cudy LT300 V3",
  "submitted_target": {
    "target_kind": "firmware_release",
    "version": "LT300V3-R100-2.4.5-20250519-131314",
    "ref": "vendor firmware zip LT300V3-R100-2.4.5-20250519-131314-flash.zip",
    "display": "Cudy LT300 V3 firmware 2.4.5 (vulnerable parent target)"
  },
  "variant_target": {
    "target_kind": "firmware_release",
    "version": "LT300V3-R100-2.5.12-20260518-234632",
    "ref": "vendor firmware zip LT300V3-R100-2.5.12-20260518-234632-flash.zip",
    "display": "Cudy LT300 V3 firmware 2.5.12 fixed/control target; variant does not bypass this target"
  },
  "same_root_cause_confidence": 0.95,
  "same_surface_confidence": 0.82,
  "claimed_surface": "authenticated router administrative HTTP interface time-setting command injection",
  "validated_surface": "authenticated LuCI JSON-RPC HTTP endpoint /cgi-bin/luci/rpc/app method system.setclock on vulnerable firmware; fixed firmware negative control blocks it",
  "required_entrypoint_kind": "endpoint",
  "required_entrypoint_detail": "HTTP POST /cgi-bin/luci/rpc/app with JSON-RPC method system.setclock and attacker-controlled params[0] time string",
  "attacker_controlled_input": "JSON-RPC params[0] passed to luci.apprpc.system.setclock",
  "trigger_path": [
    "/www/cgi-bin/luci",
    "usr/lib/lua/luci/controller/rpc.lua",
    "usr/lib/lua/luci/jsonrpc.lua",
    "usr/lib/lua/luci/app.lua",
    "usr/lib/lua/luci/apprpc/system.lua:setclock",
    "luci.sys.call(\"date -s '%s'\")"
  ],
  "observed_impact_class": "code_execution",
  "exploitability_confidence": 0.86,
  "evidence_scope": "production_path_emulated_firmware",
  "runtime_manifest_present": true,
  "end_to_end_target_reached": true,
  "inferred": false,
  "claim_block_reason": "not_a_fixed_version_bypass; fixed firmware 2.5.12 also sanitizes or rejects the JSON-RPC setclock payload",
  "blocking_mitigation": "Fixed luci.apprpc.system.lua contains gsub/validation and runtime returns Invalid Parameter without creating proof file",
  "file_path": "usr/lib/lua/luci/apprpc/system.lua",
  "line_start": null,
  "line_end": null,
  "secondary_anchors": [
    {
      "file_path": "usr/lib/lua/luci/controller/rpc.lua",
      "line_start": null,
      "line_end": null
    },
    {
      "file_path": "usr/lib/lua/luci/app.lua",
      "line_start": null,
      "line_end": null
    },
    {
      "file_path": "usr/lib/lua/luci/model/cbi/system/systime.lua",
      "line_start": null,
      "line_end": null
    }
  ],
  "review_scope_paths": [
    "usr/lib/lua/luci/apprpc/system.lua",
    "usr/lib/lua/luci/controller/rpc.lua",
    "usr/lib/lua/luci/app.lua",
    "usr/lib/lua/luci/model/cbi/system/systime.lua"
  ],
  "artifact_refs": {
    "variant_manifest": "bundle/vuln_variant/variant_manifest.json",
    "validation_verdict": "bundle/vuln_variant/validation_verdict.json",
    "runtime_manifest": "bundle/vuln_variant/runtime_manifest.json",
    "repro_log": "bundle/logs/vuln_variant/reproduction_steps.log",
    "root_cause_equivalence": "bundle/vuln_variant/root_cause_equivalence.json",
    "reproducer": [
      "bundle/vuln_variant/reproduction_steps.sh"
    ]
  }
}
