CVE-2017-15622

Vulnerability

The vulnerability is a command injection flaw in the pptp_client.lua file on TP-Link WVR, WAR, and ER series devices. The new-mppeencryption variable is not properly sanitized before being used in a command execution context, allowing an authenticated administrator to inject arbitrary operating system commands. Affected firmware versions include all releases prior to the vendor's patch. [1]

Exploitation

An attacker must have valid administrative credentials to the device's web interface. By sending a crafted HTTP request to the endpoint that processes the pptp_client.lua script, the attacker can inject commands via the new-mppeencryption parameter. The injected commands are executed with the privileges of the web server, typically root. [1]

Impact

Successful exploitation allows a remote authenticated administrator to execute arbitrary commands on the underlying operating system. This can lead to full device compromise, including data exfiltration, installation of persistent backdoors, lateral movement within the network, and disruption of device services. [1]

Mitigation

No specific mitigation details are provided in the available references. Users should restrict administrative access to trusted networks only, use strong passwords, and monitor the vendor's support page for firmware updates that address this vulnerability. [1]