CVE-2017-15626

Vulnerability

A command injection vulnerability exists in the new-bindif variable within the pptp_server.lua file of TP-Link WVR, WAR, and ER series devices. Affected firmware versions are listed in the reference [1]. The injection occurs when an authenticated administrator sends a crafted request to the PPTP server configuration endpoint.

Exploitation

An attacker must have valid administrative credentials to the device's web interface. The attacker then sends a specially crafted HTTP request containing shell metacharacters in the new-bindif parameter. No additional user interaction is required beyond the authenticated session.

Impact

Successful exploitation allows the attacker to execute arbitrary operating system commands with root privileges on the device. This can lead to full compromise of the device, including data exfiltration, installation of malware, or use as a pivot point in the network.

Mitigation

TP-Link has released firmware updates addressing this vulnerability; users should update to the latest version for their specific device model as listed in the vendor advisory [1]. If no update is available, restrict administrative access to trusted IP addresses and disable the PPTP server if not required.