CVE-2026-7674
HIGH · 8.8Real vuln, HIGH CVSS, but exploitation claim unverified; feeds dominate chatter.
What: Remote buffer overflow in Shenzhen Libituo LBT-T300-HW1 Web Management Interface (versions ≤1.2.8) via VPN argument manipulation; CVSS 8.8 (HIGH).
Why it matters: Published same day with no patch available; vendor unresponsive to disclosure. Post #3 claims active exploitation, but lacks corroborating PoC, scanning data, or defender triage reports. Not KEV-listed. Most posts are feed/alert aggregation; no security researcher validation yet.
Where it's seen: Vulnerability feed chatter, alert automation, one unsubstantiated claim of "being exploited now" on X. No vendor advisory, no public PoC, no defender questions in forums.
RISK: ELEVATED — Unpatched remote code execution, but narrow device scope; vendor unresponsive.
AttackerKB
view on attackerkb.com →A flaw has been found in Shenzhen Libituo Technology LBT-T300-HW1 up to 1.2.8. This issue affects the function start_single_service of the component Web Management Interface. Executing a manipulation of the argument vpn_pptp_server/vpn_l2tp_server can lead to buffer overflow. The attack can be executed remotely. The vendor was contacted early about this disclosure but did not respond in any way.
Public PoCs on GitHub 3 repos
- cometkim/awesome-list ★ 22
My personal awesome list based on GitHub stars
- brimstone/stars ★ 2
My starred GitHub repositories
- getquoteonline/NSNPartLookup.com-Lookup-Order-NSN-NIIN-Cage-Code-Parts ★ 0
NSNPartLookup.com – Lookup & Order NSN, NIIN, Cage Code Parts
Articles & coverage 14 articles
- CVE-2026-7674 - Exploits & Severity - Feedly
# CVE-2026-7674 Published: May 2, 2026. No CVSS yetNo EPSS yet. CVE info copied to clipboard. The CVE description is not yet available but Feedly AI found some discussions about it. #### News. CVE-2026-7674 | Shenzhen Libituo Technology LBT-T300-HW1 up to 1.2.8 Web Management Interface start\_single\_service vpn\_pptp\_server/vpn\_l2tp\_server buffer overflow. A vulnerability was found in Shenzhen
- RHEL 8 : rhc (RHSA-2026:7674)<!-- --> | Tenable®
# RHEL 8 : rhc (RHSA-2026:7674). ###### high Nessus Plugin ID 306065. The remote Red Hat host is missing a security update for rhc. The remote Redhat Enterprise Linux 8 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2026:7674 advisory. rhc is a client tool and daemon that connects the system to Red Hat hosted services enabling system and subscription man
- NVD - CVE-2026-26747
Change History 3 change records found show changes **Initial Analysis by NIST 2/25/2026 9:42:23 PM** | Action | Type | Old Value | New Value | | --- | --- | --- | --- | | Added | CPE Configuration | | ``` OR *cpe:2.3:a:monicahq:monica:4.1.2:*:*:*:*:*:*:* ``` | | Added | Reference Type | | ``` MITRE: https://github.com/hungnqdz/cve-research/blob/main/CVE-2026-26747.md Types: Exploit,
- Apache Tomcat: Moderate: Cache Poisoning (CVE-2017-7674)
The response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances.
- CVE-2026-7334 Chrome Views Use-After-Free: Windows Admin Patch Lessons | Windows Forum
**Note:** This feature may not be available in some browsers. # CVE-2026-7334 Chrome Views Use-After-Free: Windows Admin Patch Lessons. : chrome security updates chromium patch management cve 2026 7334 endpoint security. Google and Microsoft catalogued CVE-2026-7334 on April 28, 2026, as a high-severity use-after-free flaw in Chrome’s Views component on macOS, fixed in Chrome 147.0.7727.13
› NVD details 2 CWE ·0 vendors · 5 refs expand
Description
A flaw has been found in Shenzhen Libituo Technology LBT-T300-HW1 up to 1.2.8. This issue affects the function start_single_service of the component Web Management Interface. Executing a manipulation of the argument vpn_pptp_server/vpn_l2tp_server can lead to buffer overflow. The attack can be executed remotely. The vendor was contacted early about this disclosure but did not respond in any way.
Top posts driving the trend
@NewsNerdieX · 5/3/2026🔴 CVE-2026-7674 in Shenzhen Libituo's LBT-T300-HW1 is being exploited now—hackers can execute arbitrary code through a buffer overflow. Patch immediately to avoid system compromise. #NerdieNews #CyberSecurity #InfoSec #Vulnerability #AIPhishing https://t.co/knKJMcX6mC
♥ 0 · ↻ 0 · 💬 0
@CVEarityX · 5/3/2026⚡ New CVE Alert: CVE-2026-7674 📊 Severity: 8.8 🚨 Risk Level: High 🧩 Affects: Multiple / Unspecified Products Reference: https://t.co/0mAfo3eqsd #CVE-2026-7674 #CVE #High #CyberSecurity #InfoSec https://t.co/ImtfzFdB9g
♥ 0 · ↻ 0 · 💬 0- @postac001.bsky.socialBluesky · 5/3/2026
Shenzhen Libituo LBT-T300-HW1(v1.2.8まで)のWeb管理インターフェースにバッファオーバーフローの脆弱性。リモートからの攻撃で、VPN設定の操作により発生する可能性… CVE-2026-7674 CVSS 8.8 | HIGH
♥ 0 · ↻ 0 · 💬 0 - @offseq.bsky.socialBluesky · 5/3/2026
🚨 Buffer overflow in Shenzhen Libituo LBT-T300-HW1 (1.2.0 – 1.2.8) — HIGH severity, no patch yet. Remotely exploitable via Web UI. Restrict access & watch for updates. https://radar.offseq.com/threat/cve-2026-7674-buffer-overflow-in-shenzhen-libituo--817395ad #OffSeq #Vulnerability #IoTSecurity
♥ 1 · ↻ 0 · 💬 0 
@VulmonFeedsX · 5/3/2026CVE-2026-7674 Buffer Overflow in Shenzhen Libituo Technology LBT-T300-HW1 Web Ma... https://t.co/4mrewtnUSs Customizable Vulnerability Alerts: https://t.co/U7998fz7yk
♥ 0 · ↻ 0 · 💬 0- @cve.skyfleet.blueBluesky · 5/3/2026
CVE-2026-7674 - Shenzhen Libituo Technology LBT-T300-HW1 Web Management start_single_service buffer overflow CVE ID : CVE-2026-7674 Published : May 3, 2026, 1:30 a.m. | 49 minutes ago Description : A flaw has been found in Shenzhen Libituo Technology LBT-T300-HW1 up to 1...
♥ 0 · ↻ 0 · 💬 0 - @thehackerwire.bsky.socialBluesky · 5/3/2026
🟠 CVE-2026-7674 - High (8.8) A flaw has been found in Shenzhen Libituo Technology LBT-T300-HW1 up to 1.2.8. This issue affects... https://www.thehackerwire.com/vulnerability/CVE-2026-7674/ #infosec #cybersecurity #CVE #vulnerability #security #patchstack
♥ 1 · ↻ 0 · 💬 0
