CVE-2026-1802 is a command injection vulnerability identified in the Ziroom ZHOME A0101 smart home device firmware version 1.0.1.0. The vulnerability resides in the macAddrClone function within the luci\controller\api\zrMacClone.lua file, where improper sanitization of the macType argument allows an attacker to inject and execute arbitrary system commands remotely. This flaw does not require any authentication or user interaction, making it highly accessible to remote attackers. The vulnerability affects the device's command execution flow, potentially compromising the confidentiality, integrity, and availability of the device and connected networks. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), and no user interaction (UI:N), with partial impact on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). Although no active exploitation has been reported, the public release of exploit code increases the likelihood of attacks. The vendor has not issued any patches or responded to disclosure, leaving the vulnerability unmitigated. This vulnerability poses a significant risk to environments deploying Ziroom ZHOME A0101 devices, especially in smart home or IoT contexts where these devices may have network access and control capabilities.

For European organizations, exploitation of CVE-2026-1802 could lead to unauthorized remote command execution on Ziroom ZHOME A0101 devices, potentially allowing attackers to pivot into internal networks, disrupt device functionality, or exfiltrate sensitive data. The medium severity rating reflects partial but meaningful impacts on confidentiality, integrity, and availability. In smart home or IoT deployments, compromised devices could serve as entry points for broader network attacks or be leveraged in botnets. Organizations relying on these devices for critical functions or integrated with other systems face increased operational risks. The lack of vendor response and patches exacerbates the threat, requiring organizations to implement compensating controls. European entities with smart building infrastructure, managed IoT environments, or consumer-facing services using Ziroom products are particularly vulnerable. The threat also raises privacy concerns due to potential data leakage from compromised devices.

Given the absence of official patches, European organizations should implement immediate compensating controls. First, isolate Ziroom ZHOME A0101 devices on segmented network zones with strict access controls to limit exposure. Employ network-level filtering to block unauthorized inbound traffic targeting the vulnerable API endpoint or macType parameter. Implement intrusion detection and prevention systems (IDS/IPS) with signatures or heuristics to detect command injection attempts against the device. Where possible, disable or restrict remote management interfaces that expose the vulnerable function. Conduct thorough input validation and sanitization if custom integrations or middleware interact with the device APIs. Monitor device logs and network traffic for anomalous command execution patterns. Engage with vendors or third-party security providers for potential firmware updates or workarounds. Finally, maintain an inventory of affected devices and plan for device replacement or firmware updates once available.