CVE-2017-13713

HIGH

T&W WIFI Repeater BE126 - Authenticated Remote Code Execution via User Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2017-13713. PoCs published by Hay Mizrachi.

AI-analyzed exploit summary This exploit demonstrates a command injection vulnerability in WIFI Repeater BE126 via an unsanitized 'user' parameter in an HTTP POST request. The PoC uses curl to inject arbitrary commands, achieving remote code execution.

Description

T&W WIFI Repeater BE126 allows remote authenticated users to execute arbitrary code via shell metacharacters in the user parameter to cgi-bin/webupg.

Exploits (1)

exploitdb WORKING POC

by Hay Mizrachi · textwebappshardware

https://www.exploit-db.com/exploits/42608

View Code ZIP pw:eip

This exploit demonstrates a command injection vulnerability in WIFI Repeater BE126 via an unsanitized 'user' parameter in an HTTP POST request. The PoC uses curl to inject arbitrary commands, achieving remote code execution.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: WIFI Repeater BE126 1.0

Auth required

Prerequisites: Network access to the target device · Valid session cookie with admin privileges

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/42608/

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/143978/Wireless-Repeater-BE126-Remote-Code-Execution.html

Scores

CVSS v3 8.8

EPSS 0.0912

EPSS Percentile 94.7%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-78

Status published

Products (1)

twsz/wifi_repeater_firmware

Published Sep 07, 2017

Tracked Since Feb 18, 2026