CVE-2017-17411

CRITICAL EXPLOITED IN THE WILD

Linksys WVBR0 < 1.0.41 - Unauthenticated Remote Code Execution via Web Management Portal

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2017-17411 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). EIP tracks 3 public exploits from researchers including Metasploit, nixawk, HeadlessZeke, including a Metasploit module exploits/linux/http/linksys_wvbr0_user_agent_exec_noauth.

AI-analyzed exploit summary This Metasploit module exploits a command injection vulnerability in Linksys WVBR0-25 via the User-Agent header, allowing unauthenticated remote code execution. It includes both a check method to verify vulnerability and payload delivery methods for command execution or session establishment.

Description

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Linksys WVBR0. Authentication is not required to exploit this vulnerability. The specific flaw exists within the web management portal. The issue lies in the lack of proper validation of user data before executing a system call. An attacker could leverage this vulnerability to execute code with root privileges. Was ZDI-CAN-4892.

Exploits (3)

exploitdb WORKING POC
by Metasploit · rubyremotehardware
https://www.exploit-db.com/exploits/43429

This Metasploit module exploits a command injection vulnerability in Linksys WVBR0-25 via the User-Agent header, allowing unauthenticated remote code execution. It includes both a check method to verify vulnerability and payload delivery methods for command execution or session establishment.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Linksys WVBR0-25 Wireless Video Bridge < 1.0.41
No auth needed
Prerequisites: Network access to the target device · Target device running vulnerable firmware
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
by nixawk · pythonwebappshardware
https://www.exploit-db.com/exploits/43363

This exploit demonstrates a command injection vulnerability in Linksys WVBR0-25 by injecting a payload via the User-Agent header. It checks for the presence of the injected command and its MD5 hash in the response to confirm exploitation.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Linksys WVBR0-25
No auth needed
Prerequisites: Network access to the target device · Target device must be running vulnerable firmware
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by HeadlessZeke · rubypocunix
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/linksys_wvbr0_user_agent_exec_noauth.rb

This Metasploit module exploits a command injection vulnerability in the Linksys WVBR0-25 Wireless Video Bridge via the User-Agent header, allowing unauthenticated remote command execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Linksys WVBR0-25 Wireless Video Bridge < 1.0.41
No auth needed
Prerequisites: Network access to the target device
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/102212
Exploit, Third Party Advisory x_refsource_misc
https://github.com/rapid7/metasploit-framework/pull/9336
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/43363/
Third Party Advisory, VDB Entry x_refsource_misc
https://zerodayinitiative.com/advisories/ZDI-17-973
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/43429/

Scores

CVSS v3 9.8
EPSS 0.8793
EPSS Percentile 99.7%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2021-04-12
InTheWild.io 2021-04-12
CWE
CWE-78
Status published
Products (2)
Linksys/Linksys WVBR0 WVBR0
linksys/wvbr0_firmware < 1.0.41
Published Dec 21, 2017
Tracked Since Feb 18, 2026