Critical severity9.8NVD Advisory· Published Nov 24, 2017· Updated May 13, 2026

CVE-2017-16934

Description

The web server on DBL DBLTek devices allows remote attackers to execute arbitrary OS commands by obtaining the admin password via a frame.html?content=/dev/mtdblock/5 request, and then using this password for the HTTP Basic Authentication needed for a change_password.csp request, which supports a "<%%25call system.exec:" string in the passwd parameter.

Affected products

Dbltek/Web Server
cpe:2.3:a:dbltek:web_server:-:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

blogs.securiteam.com/index.php/archives/3437nvdExploitThird Party Advisory

News mentions

No linked articles in our index yet.

cvss	0.637
epss	0.015
exploit	0.030
kev	0.000
patch	0.000
ransomware	0.000