CVE-2018-11314

CRITICAL

Roku Firmware - Unauthenticated Remote Device Control via DNS Rebinding Attack

Title source: llm
STIX 2.1

Description

The External Control API in Roku and Roku TV products allow unauthorized access via a DNS Rebind attack. This can result in remote device control and privileged device and network information to be exfiltrated by an attacker.

Scores

CVSS v3 9.6
EPSS 0.0174
EPSS Percentile 75.0%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Details

CWE
CWE-20
Status published
Products (1)
roku/roku_firmware
Published Jul 03, 2018
Tracked Since Feb 18, 2026