Peplink Security Advisory: Balance/MAX/FusionHub Firmware 8.5.3 - Shell Command Injection Vulnerability

Background
Recently, we have communicated with a trusted security party that has informed us that they have found a vulnerability in Peplink devices running firmware version 8.5.3. Details are below:

If the user can gain access to the router’s Web Admin with admin privileges, they can execute an API command to perform unauthorized actions.

With InControl Virtual Appliance (ICVA) running firmware up to 2.14.1.2, the Remote Web Admin (RWA) access could give another path to gain access to the vulnerability point.

NOTE:
Peplink hosted InControl 2 (incontrol2.peplink.com) is mitigated from this vulnerability.

Products
The vulnerability was identified in:

1. Peplink Balance, MAX, MediaFast, and FusionHub product series firmware version 8.5.3.

2. ICVA firmware version 2.14.1.2 or earlier

Solution
It has been fixed in Peplink Balance, MAX, MediaFast, and FusionHub firmware version 8.5.4, which can be downloaded here.

For ICVA, the interim solution is to upgrade to firmware version 2.14.1.3, which allows the admin to disable the Remote Web Admin and IP-based InTouch feature globally. A permanent solution that provides enhanced security in establishing the tunnel is targeted at ICVA firmware version 2.14.2, ETA in late February or early March 2026.

Published: 2026-02-16

Ref.: #35920

just to confirm, the vulnerability is only 8.5.3 not 8.5.3 and earlier?

Hi Wei Ming,

Can you give more detail as it isn’t clear what the risks are with this?
Is it that a read only user with RWA can run Admin tasks? or is it that a user of a different ORG can run admin tasks when they have no access?

Is there a CVE for this already or is this before release?

thanks
James

@WeiMing sorry, just giving a bump on this.

@James_Webster5240 Read-only user privilege is not able to do so, it must be with the admin access level.