CVE-2017-15613

Vulnerability

A command injection vulnerability exists in the new-interface variable within the cmxddns.lua file of TP-Link WVR, WAR, and ER devices [1]. This affects firmware versions prior to the fix released in January 2018 [1]. The vulnerability requires the device to have the DDNS feature enabled and the attacker to have valid administrative credentials [1].

Exploitation

An attacker with a valid administrator account can send a crafted POST request to the device's web interface, injecting arbitrary operating system commands into the new-interface parameter [1]. No user interaction beyond the authenticated session is required, and the attacker can be on the local network or remotely if the management interface is exposed [1].

Impact

Successful exploitation allows the remote authenticated attacker to execute arbitrary commands on the underlying operating system with root privileges [1]. This results in full compromise of the device's confidentiality, integrity, and availability [1]. The attacker can install persistent backdoors, exfiltrate data, or pivot to other network hosts [1].

Mitigation

TP-Link released firmware updates to address this vulnerability in January 2018 for the affected WVR, WAR, and ER device series [1]. It is recommended to update to the latest firmware from TP-Link's official support site; if upgrading is not possible, administrators should restrict access to the management interface to trusted networks only and disable the DDNS feature if not required [1].