CVE-2018-13307
CRITICAL EXPLOITED IN THE WILDTOTOLINK A3002RU 1.0.8 - OS Command Injection via NTP Server IP Parameter
Title source: llmExploitation Summary
CVE-2018-13307 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io).
Description
System command injection in fromNtp in TOTOLINK A3002RU version 1.0.8 allows attackers to execute system commands via the "ntpServerIp2" POST parameter. Certain payloads cause the device to become permanently inoperable.
References (1)
Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://blog.securityevaluators.com/new-vulnerabilities-in-totolink-a3002ru-d6f42a081154
Scores
CVSS v3
9.8
EPSS
0.1530
EPSS Percentile
94.7%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
VulnCheck KEV
2024-05-22
InTheWild.io
2024-05-29
CWE
CWE-78
Status
published
Products (1)
totolink/a3002ru_firmware
1.0.8
Published
Nov 27, 2018
Tracked Since
Feb 18, 2026