CVE-2019-12272

CRITICAL

OpenWrt LuCI <0.10 - Command Injection

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2019-12272. PoCs published by HACHp1, nevercodecorrect.

AI-analyzed exploit summary The repository contains functional exploit code for CVE-2019-12272, demonstrating remote command execution (RCE) in LuCI via command injection in the bandwidth_status and wireless_status endpoints. The PoC authenticates, injects a command via the URL path, and retrieves the output from a generated file.

Description

In OpenWrt LuCI through 0.10, the endpoints admin/status/realtime/bandwidth_status and admin/status/realtime/wireless_status of the web application are affected by a command injection vulnerability.

Exploits (2)

nomisec WORKING POC 20 stars

by HACHp1 · poc

https://github.com/HACHp1/LuCI_RCE_exp

View Code ZIP pw:eip

The repository contains functional exploit code for CVE-2019-12272, demonstrating remote command execution (RCE) in LuCI via command injection in the bandwidth_status and wireless_status endpoints. The PoC authenticates, injects a command via the URL path, and retrieves the output from a generated file.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: LuCI (OpenWrt web interface)

Auth required

Prerequisites: Valid credentials for the LuCI interface · Network access to the target device

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec STUB

by nevercodecorrect · poc

https://github.com/nevercodecorrect/lede-17.01.3

View Code ZIP pw:eip

The repository contains build system files for LEDE 17.01.3 but lacks any exploit code or technical details related to CVE-2019-12272. The README only mentions the CVE without providing context or PoC.

Classification

Stub 90%

Attack Type

Other

Complexity

Trivial

Reliability

Theoretical

Target: LEDE 17.01.3

No auth needed

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (2)

Core 2

Core References

Patch, Third Party Advisory x_refsource_misc

https://github.com/openwrt/luci/commits/master

Patch, Third Party Advisory x_refsource_misc

https://github.com/openwrt/luci/commit/9e4b8a91384562e3baee724a52b72e30b1aa006d

Scores

CVSS v3 9.8

EPSS 0.0737

EPSS Percentile 93.6%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-78

Status published

Products (1)

openwrt/luci < 0.10.0

Published May 23, 2019

Tracked Since Feb 18, 2026