CVE-2018-17558

CRITICAL

ABUS TVIP Firmware - OS Command Injection via /cgi-bin/mft/ Directory

Title source: llm

Description

Hardcoded manufacturer credentials and an OS command injection vulnerability in the /cgi-bin/mft/ directory on ABUS TVIP TVIP20050 LM.1.6.18, TVIP10051 LM.1.6.18, TVIP11050 MG.1.6.03.05, TVIP20550 LM.1.6.18, TVIP10050 LM.1.6.18, TVIP11550 MG.1.6.03, TVIP21050 MG.1.6.03, and TVIP51550 MG.1.6.03 cameras allow remote attackers to execute code as root.

References (2)

Core 2

Core References

Exploit, Third Party Advisory

https://sec.maride.cc/posts/abus/

Third Party Advisory

https://www.ccc.de/en/updates/2019/update-nicht-verfugbar-hersteller-nicht-zu-erreichen

Scores

CVSS v3 9.8

EPSS 0.0251

EPSS Percentile 82.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-78 CWE-798

Status published

Products (47)

abus/tvip_10000_firmware

abus/tvip_10001_firmware

abus/tvip_10005_firmware

abus/tvip_10005a_firmware

abus/tvip_10005b_firmware

abus/tvip_10050_firmware

abus/tvip_10051_firmware

abus/tvip_10055a_firmware

abus/tvip_10055b_firmware

abus/tvip_10500_firmware

... and 37 more

Published Oct 26, 2023

Tracked Since Feb 18, 2026