CVE-2018-18319
CRITICALAsuswrt-Merlin Firmware < 380.70 - Remote Code Execution via Merlin.PHP API
Title source: llmDescription
An issue was discovered in the Merlin.PHP component 0.6.6 for Asuswrt-Merlin devices. An attacker can execute arbitrary commands because api.php has an eval call, as demonstrated by the /6/api.php?function=command&class=remote&Cc='ls' URI. NOTE: the vendor indicates that Merlin.PHP is designed only for use on a trusted intranet network, and intentionally allows remote code execution
References (2)
Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
http://blog.51cto.com/010bjsoft/2298902
Exploit, Third Party Advisory x_refsource_misc
https://github.com/qoli/Merlin.PHP/issues/27
Scores
CVSS v3
9.8
EPSS
0.0543
EPSS Percentile
91.7%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-94
Status
published
Products (14)
asuswrt-merlin_project/rt-ac1900_firmware
< 380.70
asuswrt-merlin_project/rt-ac2900_firmware
< 380.70
asuswrt-merlin_project/rt-ac3100_firmware
< 380.70
asuswrt-merlin_project/rt-ac3200_firmware
< 380.70
asuswrt-merlin_project/rt-ac5300_firmware
< 380.70
asuswrt-merlin_project/rt-ac56u_firmware
< 380.70
asuswrt-merlin_project/rt-ac66u_b1_firmware
< 380.70
asuswrt-merlin_project/rt-ac68p_firmware
< 380.70
asuswrt-merlin_project/rt-ac68u_firmware
< 380.70
asuswrt-merlin_project/rt-ac68uf_firmware
< 380.70
... and 4 more
Published
Oct 15, 2018
Tracked Since
Feb 18, 2026