CVE-2018-3949
HIGH EXPLOITED IN THE WILDTP-Link TL-R600VPN - Path Traversal via Crafted URL
Title source: llmExploitation Summary
CVE-2018-3949 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io).
Description
An exploitable information disclosure vulnerability exists in the HTTP server functionality of the TP-Link TL-R600VPN. A specially crafted URL can cause a directory traversal, resulting in the disclosure of sensitive system files. An attacker can send either an unauthenticated or an authenticated web request to trigger this vulnerability.
References (1)
Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://talosintelligence.com/vulnerability_reports/TALOS-2018-0618
Scores
CVSS v3
7.5
EPSS
0.2338
EPSS Percentile
96.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
VulnCheck KEV
2022-01-12
InTheWild.io
2021-11-11
CWE
CWE-22
Status
published
Products (2)
tp-link/tl-r600vpn_firmware
1.3.0
tp-link/tl-r600vpn_firmware
1.2.3
Published
Dec 01, 2018
Tracked Since
Feb 18, 2026