High severity8.8NVD Advisory· Published Dec 19, 2017· Updated Jun 17, 2026
CVE-2017-17758
CVE-2017-17758
Description
TP-Link TL-WVR and TL-WAR devices allow remote authenticated users to execute arbitrary commands via shell metacharacters in the interface field of an admin/dhcps command to cgi-bin/luci, related to the zone_get_iface_bydev function in /usr/lib/lua/luci/controller/admin/dhcps.lua in uhttpd.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
17cpe:2.3:o:tp-link:tl-war1200l_firmware:-:*:*:*:*:*:*:*+ 2 more
- cpe:2.3:o:tp-link:tl-war1200l_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:tp-link:tl-wvr1200l_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:tp-link:tl-wvr4300l_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:tp-link:tl-war1300l_firmware:-:*:*:*:*:*:*:*
cpe:2.3:o:tp-link:tl-war1750l_firmware:-:*:*:*:*:*:*:*+ 6 more
- cpe:2.3:o:tp-link:tl-war1750l_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:tp-link:tl-war2600l_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:tp-link:tl-war900l_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:tp-link:tl-wvr1300l_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:tp-link:tl-wvr1750l_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:tp-link:tl-wvr2600l_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:tp-link:tl-wvr450l_firmware:-:*:*:*:*:*:*:*
cpe:2.3:o:tp-link:tl-war450l_firmware:-:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:tp-link:tl-war450l_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:tp-link:tl-war458l_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:tp-link:tl-wvr458l_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:tp-link:tl-wvr900l_firmware:-:*:*:*:*:*:*:*
Patches
Vulnerability mechanics
References
1- github.com/L1ZhaoXin/Router-Vulnerability-Research/blob/master/Tplink_LUCI_Dhcps_Authenticated_RCE_Record.txtnvdExploitIssue TrackingThird Party Advisory
News mentions
0No linked articles in our index yet.