CVE-2017-8116
CRITICALTeltonika Rut900 Firmware < 00.03.265 - OS Command Injection
Title source: ruleDescription
The management interface for the Teltonika RUT9XX routers (aka LuCI) with firmware 00.03.265 and earlier allows remote attackers to execute arbitrary commands with root privileges via shell metacharacters in the username parameter in a login request.
References (3)
Core 3
Core References
Exploit, Third Party Advisory x_refsource_misc
https://github.com/nettitude/metasploit-modules/blob/master/teltonika_add_user.rb
Exploit, Third Party Advisory x_refsource_misc
https://github.com/nettitude/metasploit-modules/blob/master/teltonika_cmd_exec.rb
Third Party Advisory x_refsource_misc
https://labs.nettitude.com/blog/cve-2017-8116-teltonika-router-unauthenticated-remote-code-execution/
Scores
CVSS v3
9.8
EPSS
0.0746
EPSS Percentile
91.8%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-78
Status
published
Products (4)
teltonika/rut900_firmware
< 00.03.265
teltonika/rut905_firmware
< 00.03.265
teltonika/rut950_firmware
< 00.03.265
teltonika/rut955_firmware
< 00.03.265
Published
Jul 03, 2017
Tracked Since
Feb 18, 2026