CVE-2018-17532
CRITICAL EXPLOITEDTeltonika RUT9XX <00.04.233 - Command Injection
Title source: llmDescription
Teltonika RUT9XX routers with firmware before 00.04.233 are prone to multiple unauthenticated OS command injection vulnerabilities in autologin.cgi and hotspotlogin.cgi due to insufficient user input sanitization. This allows remote attackers to execute arbitrary commands with root privileges.
References (3)
Core 3
Core References
Exploit, Mailing List, Third Party Advisory mailing-list
x_refsource_fulldisc
http://seclists.org/fulldisclosure/2018/Oct/27
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/149777/Teltonika-RUT9XX-Unauthenticated-OS-Command-Injection.html
Exploit, Third Party Advisory x_refsource_misc
https://github.com/sbaresearch/advisories/tree/public/2018/SBA-ADV-20180319-01_Teltonika_OS_Command_Injection
Scores
CVSS v3
9.8
EPSS
0.7713
EPSS Percentile
99.0%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
VulnCheck KEV
2023-12-31
CWE
CWE-78
Status
published
Products (3)
teltonika/rut900_firmware
< 00.04.233
teltonika/rut950_firmware
< 00.04.233
teltonika/rut955_firmware
< 00.04.233
Published
Oct 15, 2018
Tracked Since
Feb 18, 2026