CVE-2018-18319
Description
Merlin.PHP 0.6.6 for Asuswrt-Merlin allows remote code execution via eval in api.php due to unsanitized class and function parameters.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Merlin.PHP 0.6.6 for Asuswrt-Merlin allows remote code execution via eval in api.php due to unsanitized class and function parameters.
Vulnerability
In Merlin.PHP component version 0.6.6 for Asuswrt-Merlin, the file api.php contains a call to eval() with user-controlled class and function parameters [1]. The _GET and _POST values are directly injected into an object instantiation and method call, leading to arbitrary code execution. Affected versions: Merlin.PHP 0.6.6 and possibly earlier.
Exploitation
An attacker on the network can send a crafted POST request to /6/api.php?function=command&class=remote with a payload such as cc='ls' in the POST body [1]. No authentication is required if the service is exposed.
Impact
Successful exploitation allows remote code execution as the web server user, enabling full control over the router's underlying operating system [1].
Mitigation
The vendor has stated that Merlin.PHP is designed for use only on a trusted intranet network and intentionally allows remote code execution [1]. No patch has been provided. Users should ensure the component is not exposed to untrusted networks. The affected version is 0.6.6, and users should consider removing or restricting access to the component if not needed.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- blog.51cto.com/010bjsoft/2298902mitrex_refsource_MISC
- github.com/qoli/Merlin.PHP/issues/27mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.