CVE-2017-15633

Vulnerability

A command injection vulnerability exists in TP-Link WVR, WAR, and ER devices. The flaw resides in the session_limits.lua file, which handles IP group settings. The new-ipgroup variable is not properly sanitized, allowing an authenticated remote administrator to inject arbitrary operating system commands. Affected models include TP-Link WVR, WAR, and ER series routers; specific firmware versions are not enumerated in the available references but the issue was published in January 2018 [1].

Exploitation

The attacker must be a remote authenticated administrator on the TP-Link device. The exploitation involves sending a crafted HTTP request to the device's management interface, injecting shell commands via the new-ipgroup parameter in the session_limits.lua endpoint. No user interaction beyond the attacker's own actions is required [1].

Impact

Successful exploitation grants the attacker arbitrary command execution with root privileges on the device. This leads to full compromise of the router, including the ability to read, modify, or delete all data, intercept network traffic, or use the device as a pivot for further attacks within the network [1].

Mitigation

No official fix or patch from TP-Link was mentioned in the available references. Users should restrict administrative access to trusted networks only, disable remote administration if not needed, and monitor vendor security advisories for any updates. The device may be end-of-life; consulting TP-Link support is recommended [1].