CVE-2017-15631

Vulnerability

TP-Link WVR, WAR, and ER series routers contain a command injection vulnerability in the new-workmode parameter within the pptp_client.lua file. This allows remote authenticated administrators to inject arbitrary operating system commands. The vulnerability affects devices running firmware versions prior to the fix released in [1]. The new-workmode variable is not properly sanitized, enabling injection of shell commands.

Exploitation

An attacker needs remote authenticated administrative access to the device. The attacker can send a crafted HTTP request to the vulnerable endpoint with malicious input in the new-workmode parameter. The command injection occurs when the device processes the parameter, executing the injected commands with root privileges. No user interaction is required beyond authentication.

Impact

Successful exploitation allows the attacker to execute arbitrary commands on the device with root privileges. This can lead to full compromise of the device, including data exfiltration, installation of malware, or further network attacks. The impact is high as it provides complete control over the router.

Mitigation

TP-Link has released firmware updates to address this vulnerability. Users should update to the latest firmware version for their specific device model. If no update is available, restrict administrative access to trusted networks only. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog as of the publication date. [1] provides a list of affected models and further details.