CVE-2018-17532

Exploit

EPSS 83.98%
Veröffentlicht 15.10.2018 19:29:01
Zuletzt bearbeitet 21.11.2024 03:54:33
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

Teltonika RUT9XX routers with firmware before 00.04.233 are prone to multiple unauthenticated OS command injection vulnerabilities in autologin.cgi and hotspotlogin.cgi due to insufficient user input sanitization. This allows remote attackers to execute arbitrary commands with root privileges.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Teltonika ≫ Rut900 Firmware Version < 00.04.233

Teltonika ≫ Rut900 Version-

Teltonika ≫ Rut950 Firmware Version < 00.04.233

Teltonika ≫ Rut950 Version-

Teltonika ≫ Rut955 Firmware Version < 00.04.233

Teltonika ≫ Rut955 Version-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	83.98%	0.993

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	10	10	10	AV:N/AC:L/Au:N/C:C/I:C/A:C

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

http://packetstormsecurity.com/files/149777/Teltonika-RUT9XX-Unauthenticated-OS-Command-Injection.html

Third Party Advisory

Exploit

VDB Entry

http://seclists.org/fulldisclosure/2018/Oct/27

Third Party Advisory

Exploit

Mailing List

https://github.com/sbaresearch/advisories/tree/public/2018/SBA-ADV-20180319-01_Teltonika_OS_Command_Injection

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2018-17532