CVE-2017-15628

Vulnerability

A command injection vulnerability exists in the pptp_server.lua file of TP-Link WVR, WAR, and ER series devices. The lcpechointerval variable, used in the PPTP server configuration, is not sanitized before being passed to a shell command, allowing authenticated administrators to inject arbitrary commands. The flaw affects firmware versions prior to the vendor's security release.

Exploitation

An attacker must have administrative credentials to access the device's management interface. By submitting a crafted value for the lcpechointerval parameter, the attacker can inject shell metacharacters that break out of the intended command and execute arbitrary system commands.

Impact

Successful exploitation grants the attacker remote code execution on the device with root privileges. This can lead to full compromise of the router, enabling further attacks on the local network, data exfiltration, or use of the device in a botnet.

Mitigation

TP-Link has released firmware updates to address this vulnerability. Affected users should upgrade to the latest firmware for their specific device model as indicated in the vendor advisory [1]. No known workaround exists; however, access to the management interface should be restricted to trusted administrators as a defense-in-depth measure.