CVE-2026-2533 is a command injection vulnerability affecting Tosei Self-service Washing Machine firmware version 4.02. The vulnerability resides in the /cgi-bin/tosei_datasend.php script, where the parameter adr_txt_1 is improperly sanitized, allowing attackers to inject arbitrary shell commands. This flaw can be exploited remotely without authentication or user interaction, making it highly accessible to attackers. Successful exploitation could lead to full command execution on the device, potentially allowing attackers to manipulate machine operations, disrupt services, or pivot into connected networks. The vulnerability was responsibly disclosed, but the vendor has not issued any response or patch, increasing the risk of exploitation. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges or user interaction required (PR:N/UI:N), and partial impact on confidentiality, integrity, and availability (VC:L/VI:L/VA:L). Although no known exploits are currently active in the wild, proof-of-concept code has been published, which could facilitate future attacks. The affected product is a self-service washing machine commonly deployed in public or commercial laundromats, which may be connected to enterprise or facility networks, increasing the potential attack surface.

For European organizations, this vulnerability poses risks primarily to laundromats, hospitality venues, and public facilities using Tosei self-service washing machines. Exploitation could lead to unauthorized control over washing machines, causing service disruption or denial of service, impacting customer experience and operational continuity. More critically, if these devices are connected to broader facility networks, attackers could leverage the command injection to move laterally, potentially compromising sensitive systems or data. The lack of vendor response and patches increases exposure duration. Additionally, compromised machines could be used as footholds for further attacks or as part of botnets. The impact on confidentiality is limited but not negligible if attackers access network credentials or logs. Integrity and availability impacts are more pronounced, as attackers can alter machine behavior or disable services. This threat is particularly relevant for organizations with large-scale deployments or those in sectors where service availability is critical.

Given the absence of official patches, European organizations should implement immediate compensating controls. First, isolate Tosei washing machines on segmented networks with strict firewall rules to prevent unauthorized remote access to the /cgi-bin/tosei_datasend.php endpoint. Disable any unnecessary remote management interfaces or services on these devices. Employ network monitoring and intrusion detection systems to identify anomalous command injection attempts targeting the adr_txt_1 parameter. Where possible, replace or upgrade devices to versions without this vulnerability or from alternative vendors. Conduct regular security assessments of IoT and facility devices to detect similar vulnerabilities. Educate facility management staff on the risks and signs of exploitation. Finally, maintain incident response plans that include IoT device compromise scenarios to ensure rapid containment if exploitation occurs.