Description
Linksys Velop 1.1.2.187020 devices allow unauthenticated command injection, providing an attacker with full root access, via cgi-bin/zbtest.cgi or cgi-bin/zbtest2.cgi (scripts that can be discovered with binwalk on the firmware, but are not visible in the web interface). This occurs because shell metacharacters in the query string are mishandled by ShellExecute, as demonstrated by the zbtest.cgi?cmd=level&level= substring. This can also be exploited via CSRF.
References (1)
Core 1
Core References
Exploit, Technical Description, Third Party Advisory x_refsource_misc
https://langkjaer.com/velop.html
Scores
CVSS v3
8.8
EPSS
0.1601
EPSS Percentile
94.9%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Details
CWE
CWE-78
Status
published
Products (1)
linksys/velop_firmware
1.1.2.187020
Published
Sep 19, 2018
Tracked Since
Feb 18, 2026