CVE-2017-15635

Vulnerability

TP-Link WVR, WAR, and ER series routers contain a command injection vulnerability in the session_limits.lua file. The max_conn variable is not properly sanitized, allowing remote authenticated administrators to inject arbitrary OS commands [1]. Affected versions include firmware releases for these series prior to the patched versions (specific versions not disclosed in the available reference).

Exploitation

An attacker with valid administrative credentials can exploit this vulnerability by sending a crafted HTTP POST request to the session_limits.lua endpoint with a malicious max_conn parameter containing shell metacharacters (e.g., ; or backticks). The injected command is then executed on the device with root privileges [1].

Impact

Successful exploitation allows an authenticated administrator to execute arbitrary commands on the underlying operating system, leading to full compromise of the device. This could result in unauthorized access to network traffic, modification of device configuration, or use as a pivot for further attacks [1].

Mitigation

No official patch has been confirmed in the available references. Users should restrict administrative access to trusted networks and monitor for firmware updates from TP-Link. As a workaround, disable remote administration if not required [1].