CVE-2017-15618

Vulnerability

A command injection vulnerability exists in the pptp_client.lua file of TP-Link WVR, WAR, and ER series devices. The new-enable variable is vulnerable to injection of arbitrary commands. This affects firmware versions where the file is present. The exact version range is not specified in the available reference [1], but the vulnerability is present in the mentioned device lines.

Exploitation

An attacker must have remote administrative access to the device. By sending a crafted HTTP request that includes malicious commands in the new-enable parameter, the attacker can inject arbitrary operating system commands.

Impact

Successful exploitation allows the authenticated administrator to execute arbitrary commands on the underlying operating system, potentially leading to full compromise of the device, including data exfiltration, modification, or denial of service.

Mitigation

The vendor TP-Link has not explicitly released a fixed firmware version in the provided reference [1]. Users should monitor for firmware updates and apply them when available. If no update exists, consider restricting administrative access to trusted networks only.