CVE-2017-15630

Vulnerability

The vulnerability is a command injection flaw in the pptp_client.lua file of TP-Link WVR, WAR, and ER devices. The new-remotesubnet variable is not properly sanitized before being passed to a system command, allowing authenticated administrators to inject arbitrary operating system commands. The issue affects multiple firmware versions; the exact versions are not enumerated in the available references, but the advisory [1] confirms the class of bugs covers CVE-2017-15613 through CVE-2017-15637, indicating wide impact across these device lines.

Exploitation

An attacker must have remote administrative access to the device's web interface (valid credentials and network reachability). The attack involves sending a crafted HTTP POST request to the PPTP configuration endpoint, manipulating the new-remotesubnet parameter with command injection payloads. No additional authentication or user interaction is required beyond the admin session. The injection occurs server-side when the Lua script processes the input.

Impact

Successful exploitation allows the attacker to execute arbitrary commands on the underlying operating system as the root user (since the web interface runs with elevated privileges). This results in full compromise of the device, including complete loss of confidentiality, integrity, and availability. The attacker can modify firewall rules, intercept traffic, pivot to internal networks, or render the device inoperable.

Mitigation

No official patch or fixed firmware version is published in the available references [1]. The vendor, TP-Link, has not released a security advisory for these specific CVEs as of the latest reference. Affected devices remain vulnerable; the recommended mitigation is to restrict administrative access to trusted IP addresses via firewall rules, use strong passwords, and monitor logs for suspicious activity. If the devices are end-of-life or no longer supported, replacement with supported hardware is advised.