CVE-2017-15615

Vulnerability

Remote authenticated command injection vulnerability in TP-Link WVR, WAR, and ER devices. The lcpechointerval variable in the /usr/lib/lua/luci/controller/admin/pptpd.lua file (referenced as pptp_client.lua in the CVE description) does not sanitize user input, allowing injection of arbitrary commands [1]. The vulnerability affects multiple firmware versions across these device families.

Exploitation

An attacker must have valid administrator credentials to access the web interface. By crafting a malicious value for the lcpechointerval parameter, typically in the PPTP client configuration page, the injected command is executed with root privileges on the device [1].

Impact

Successful exploitation allows remote authenticated attackers to execute arbitrary commands as root, leading to full compromise of the device, including data exfiltration, lateral movement, or use as a botnet node [1].

Mitigation

No official patch has been released by TP-Link as of the publication date. Users should restrict administrative access to trusted networks, change default credentials, and monitor for vendor updates [1].