CVE-2018-15137

CRITICAL

CeLa Link CLR-M20 - RCE

Title source: llm

Description

CeLa Link CLR-M20 devices allow unauthorized users to upload any file (e.g., asp, aspx, cfm, html, jhtml, jsp, or shtml), which causes remote code execution as well. Because of the WebDAV feature, it is possible to upload arbitrary files by utilizing the PUT method.

Exploits (1)

exploitdb WORKING POC

by Safak Aslan · textwebappshardware

https://www.exploit-db.com/exploits/45021

View Code ZIP pw:eip

References (2)

[Third Party Advisory] https://github.com/safakaslan/CelaLinkCLRM20/issues/1

[Third Party Advisory, VDB Entry] https://www.exploit-db.com/exploits/45021/

Scores

CVSS v3 9.8

EPSS 0.2703

EPSS Percentile 96.4%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-434

Status published

Products (1)

cela_link/clr-m20_firmware 2.7.1.6

Published Aug 08, 2018

Tracked Since Feb 18, 2026