CVE-2017-15625
Description
TP-Link WVR, WAR and ER devices allow remote authenticated administrators to execute arbitrary commands via command injection in the new-olmode variable in the pptp_client.lua file.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
TP-Link WVR/WAR/ER devices allow authenticated admin command injection via the new-olmode parameter in pptp_client.lua.
Vulnerability
TP-Link WVR, WAR, and ER devices are affected by a command injection vulnerability in the pptp_client.lua file. The new-olmode variable is not properly sanitized, allowing remote authenticated administrators to inject arbitrary commands. The exact affected firmware versions are not specified in the available references [1].
Exploitation
An attacker must have valid administrative credentials to access the device's web interface. The attacker can then send a crafted request with malicious input in the new-olmode parameter, which is processed by pptp_client.lua without proper sanitization, leading to command execution [1].
Impact
Successful exploitation allows the attacker to execute arbitrary commands on the device with root privileges, leading to full compromise of the device's confidentiality, integrity, and availability.
Mitigation
No official patch or mitigation is disclosed in the available references [1]. Users should restrict administrative access to trusted networks and monitor for suspicious activity.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- www.securityfocus.com/archive/1/541655/100/0/threadedmitremailing-listx_refsource_BUGTRAQ
- github.com/chunibalon/Vulnerability/blob/master/CVE-2017-15613_to_CVE-2017-15637.txtmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.