High severity8.8NVD Advisory· Published Sep 19, 2018· Updated Jun 17, 2026
CVE-2018-17208
CVE-2018-17208
Description
Linksys Velop 1.1.2.187020 devices allow unauthenticated command injection, providing an attacker with full root access, via cgi-bin/zbtest.cgi or cgi-bin/zbtest2.cgi (scripts that can be discovered with binwalk on the firmware, but are not visible in the web interface). This occurs because shell metacharacters in the query string are mishandled by ShellExecute, as demonstrated by the zbtest.cgi?cmd=level&level= substring. This can also be exploited via CSRF.
Affected products
1Patches
Vulnerability mechanics
References
1- langkjaer.com/velop.htmlnvdExploitTechnical DescriptionThird Party Advisory
News mentions
0No linked articles in our index yet.