CVE-2017-15624

Vulnerability

A command injection vulnerability exists in the pptp_server.lua file of TP-Link WVR, WAR, and ER series devices. The vulnerable parameter is new-authtype, which is not properly sanitized before being passed to a system command. This allows a remote authenticated administrator to inject arbitrary operating system commands. Affected versions are not explicitly enumerated in the available references, but the advisory [1] covers this CVE. The vulnerability is reachable through the administrative web interface, requiring authenticated access.

Exploitation

To exploit the vulnerability, an attacker must have valid administrative credentials to the TP-Link device's web management interface. Once authenticated, the attacker sends a crafted HTTP request to the endpoint handling PPTP server settings, manipulating the new-authtype parameter. By including shell metacharacters (e.g., ; or |) followed by arbitrary commands, the attacker can inject and execute those commands on the underlying operating system with the privileges of the web server process. No user interaction beyond the attacker themselves is required [1].

Impact

Successful exploitation allows the attacker to execute arbitrary commands on the device, typically as the root user or equivalent. This can lead to complete compromise of the device, including full control over network traffic, modification of firmware, exfiltration of sensitive data (e.g., VPN credentials, configuration), and potential use of the device as a pivot point within the network. The impact involves total loss of confidentiality, integrity, and availability for the affected device [1].

Mitigation

At the time of publication (January 2018), TP-Link had not released a firmware patch for these devices; the advisory [1] does not mention a fixed version. Users are advised to restrict administrative interface access to trusted networks only (e.g., via firewall rules) and to use strong, unique passwords for administrative accounts. If possible, disable the PPTP server functionality if it is not required. The devices may be past their end-of-life (EOL) period; check TP-Link's support site for any later updates. This vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the knowledge cutoff.