[CelloOS Remote Access Vulnerability Notification]

CBN ID：CBN-2026-04968

Affected Versions：CelloOS v4.0.0 and later

1. Description

Under certain conditions, the default console management account used for system configuration in CelloOS may be exposed to unauthorized remote access, potentially allowing execution of system commands.

This vulnerability may be triggered when both of the following conditions are met simultaneously:

1. The SSH (sshd) service is enabled on the system. (disabled by default)

2. The SSH service is accessible externally. (via the Internet or internal network)

   
   

2. Impact

In environments where the above conditions are present, an attacker may be able to remotely connect to the system using the Console management account and perform unauthorized actions, posing a potential risk to system security.

3. Remediation

• This issue has been addressed via the online update service (IXP service) on March 18, 2026, and has been patched for all customers whose devices are within the warranty period.

• CelloOS 4.8.0 20260316 and later versions are not affected by this vulnerability.

  
  

4. Recommendations

To enhance system security, it is recommended to take the following measures:

1. Avoid enabling the SSH (sshd) service unless necessary.

2. If SSH is required for temporary use, disable it immediately after use.

3. For long-term use, it is recommended to configure firewall rules to restrict accessible source IP addresses.

4. Regularly verify that the system is updated to the latest version.

   
   

5. Contact Information

For any questions or assistance, please contact our technical support team at: support@cellopoint.com