CVE-2026-2533 is a command injection vulnerability identified in the Tosei Self-service Washing Machine firmware version 4.02. The vulnerability exists in the /cgi-bin/tosei_datasend.php script, where the input parameter adr_txt_1 is not properly sanitized, allowing an attacker to inject and execute arbitrary system commands remotely. This flaw does not require any authentication or user interaction, making it accessible to any remote attacker with network access to the device. The vulnerability stems from insecure coding practices in handling CGI parameters, which can be exploited to gain control over the device’s operating system. The vendor was notified but has not responded or provided a patch, and exploit code has been publicly released, increasing the likelihood of active exploitation. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges or user interaction required, and low impact on confidentiality, integrity, and availability, resulting in a medium severity rating of 6.9. The affected product is a self-service washing machine commonly deployed in laundromats and public facilities, which may be connected to local or wide area networks for remote management and monitoring. Successful exploitation could allow attackers to disrupt service, manipulate device operation, or pivot to other networked systems. The lack of vendor response and patch availability heightens the urgency for organizations to implement compensating controls.

The primary impact of this vulnerability is unauthorized remote command execution on Tosei Self-service Washing Machines running version 4.02. This could lead to complete compromise of the device, allowing attackers to disrupt laundry services, manipulate machine settings, or cause denial of service. In environments where these machines are networked, attackers could use compromised devices as footholds to move laterally within the network, potentially targeting other critical infrastructure or sensitive data. Public laundromats and shared facilities relying on these machines could face operational downtime, reputational damage, and customer dissatisfaction. Although the direct confidentiality impact is low, the integrity and availability of the service are at risk. The exploitability without authentication and user interaction increases the threat level. The lack of vendor patching means the vulnerability will persist, increasing exposure over time. Organizations with large deployments or integration into broader IoT or facility management systems are particularly vulnerable to cascading effects.

Since no official patch or vendor response is available, organizations should implement the following mitigations: 1) Isolate Tosei washing machines on a dedicated network segment with strict access controls to prevent unauthorized remote access. 2) Disable or restrict access to the /cgi-bin/tosei_datasend.php interface from untrusted networks, especially the internet. 3) Employ network intrusion detection/prevention systems (IDS/IPS) to monitor and block suspicious commands or traffic patterns targeting the vulnerable parameter adr_txt_1. 4) Regularly audit and monitor device logs for unusual activity indicative of exploitation attempts. 5) If possible, replace or upgrade devices to versions without this vulnerability or from vendors with active security support. 6) Educate facility management staff about the risks and signs of compromise. 7) Consider deploying application-layer firewalls or reverse proxies to sanitize inputs before they reach the vulnerable CGI script. These steps reduce the attack surface and limit the potential for exploitation while awaiting vendor remediation.