CVE-2019-12272

CRITICAL

OpenWrt LuCI <0.10 - Command Injection

Title source: llm

Description

In OpenWrt LuCI through 0.10, the endpoints admin/status/realtime/bandwidth_status and admin/status/realtime/wireless_status of the web application are affected by a command injection vulnerability.

Exploits (2)

nomisec WORKING POC 20 stars

by HACHp1 · poc

https://github.com/HACHp1/LuCI_RCE_exp

View Code ZIP pw:eip

nomisec STUB

by nevercodecorrect · poc

https://github.com/nevercodecorrect/lede-17.01.3

View Code ZIP pw:eip

References (2)

[Patch, Third Party Advisory] https://github.com/openwrt/luci/commit/9e4b8a91384562e3baee724a52b72e30b1aa006d

[Patch, Third Party Advisory] https://github.com/openwrt/luci/commits/master

Scores

CVSS v3 9.8

EPSS 0.3765

EPSS Percentile 97.2%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-78

Status published

Products (1)

openwrt/luci < 0.10.0

Published May 23, 2019

Tracked Since Feb 18, 2026