CVE-2026-5574: Unauthenticated Arbitrary File Deletion in Technostrobe HI-LED-WR120-G2

CVE-2026-5574: Technostrobe Unauthenticated File Deletion Vulnerability Vulnerability Overview Technostrobe's HI-LED-WR120-G2 device is used for managing obstruction lighting on tall structures (towers, turbines, cranes). Its embedded HTTP web server's file management interface contains an AJAX handler that can delete arbitrary files from the device's filesystem without authentication. --- Affected Scope Affected Devices Device: Technostrobe HI-LED-WR120-G2 Controller: MCG-2 (Master Controller Hub) Firmware Version: 5.5.0.186.03.30 Build Date: Jan 30 2018 Attack Consequences Delete login credential storage ( ) → Lock out all legitimate users Delete MQTT configuration ( ) → Network Operations Center loses device visibility Delete web management interface → Engineers cannot access device Delete network configuration ( ) → Device may become unreachable Delete firmware update files → Potential brick on next boot Delete logs/audit files → Destroy intrusion evidence --- POC Code Basic File Deletion Request Delete Login Credentials (Lock Out All Users) Delete MQTT Configuration Delete Entire Web Interface --- Root Cause Request Parameters (All Attacker-Controlled) Pseudocode Analysis Missing Security Controls ❌ Authentication ❌ Authorization ❌ Path canonicalization ❌ Allowlist of deletable directories ❌ Audit logging --- Attack Scenarios Scenario A: Evidence Destruction 1. Attacker compromises device through other vulnerabilities 2. Attacker's actions are logged 3. Attacker deletes all log files through this endpoint 4. Forensic investigators: no logs, no traces 5. Attacker activity cannot be attributed Scenario B: Denial of Service (Availability Attack) 1. Attacker deletes 2. Device can no longer authenticate any users 3. NOC engineers are locked out of device 4. Any lighting fault conditions cannot be remotely repaired 5. Physical on-site access required (tower may be remote/inaccessible) 6. Aviation safety lights down for hours to days Scenario C: Covering Tracks After File Upload (Combined with Bug 0x05) 1. Attacker uploads malicious script (Bug 0x05) 2. Script executes, attacker gains RCE 3. Attacker deletes uploaded file through this endpoint 4. No upload traces in web root 5. Investigation finds device compromised but no obvious intrusion traces --- Combined Kill Chain (Bug 2 + 4 + 5 Chain) --- Operational Technology (OT) Impact Context Aviation Lighting Compliance Requirements: FAA 70/7460-1K — Defines flash frequency, color, intensity ICAO Annex 14 — International obstruction lighting standards Transport Canada — Canadian equivalent regulations Consequences of Disabled or Malfunctioning Obstruction Lights: Pilots lose tower proximity visual reference at night/in fog Aircraft collision with tower risk (CFIT) Tower operators face regulatory penalties Tower may lose operating license --- Remediation No specific official remediation is shown in the page screenshot, but based on vulnerability characteristics, recommendations include: 1. Authentication: Implement strong authentication for file management interfaces 2. Authorization checks: Verify user permissions to delete target files 3. Path canonicalization: Apply strict canonicalization to parameter 4. Directory restrictions: Restrict deletable files to allowlisted directories 5. Audit logging: Log all file deletion operations 6. Input validation: Validate and parameters to prevent directory traversal

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2026-5574: Unauthenticated Arbitrary File Deletion in Technostrobe HI-LED-WR120-G2

More from this source