CVE-2019-18396

HIGH EXPLOITED IN THE WILD

Technicolor TD5130v2 Firmware - OS Command Injection via Ping Module pingAddr Parameter

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2019-18396 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). EIP tracks 1 public exploit from researchers including João Teles.

AI-analyzed exploit summary This exploit demonstrates a command injection vulnerability in Technicolor TD5130.2 routers via the `mnt_ping.cgi` endpoint. The `pingAddr` parameter is manipulated to execute arbitrary commands (e.g., `ls`) due to improper input validation.

Description

An issue was discovered in certain Oi third-party firmware that may be installed on Technicolor TD5130v2 devices. A Command Injection in the Ping module in the Web Interface in OI_Fw_V20 allows remote attackers to execute arbitrary OS commands in the pingAddr parameter to mnt_ping.cgi. NOTE: This may overlap CVE-2017–14127.

Exploits (1)

exploitdb WORKING POC
by João Teles · textwebappshardware
https://www.exploit-db.com/exploits/47651

This exploit demonstrates a command injection vulnerability in Technicolor TD5130.2 routers via the `mnt_ping.cgi` endpoint. The `pingAddr` parameter is manipulated to execute arbitrary commands (e.g., `ls`) due to improper input validation.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Technicolor TD5130v2 with firmware OI_Fw_V20
Auth required
Prerequisites: Network access to the target device · Valid session cookie for authentication
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 7.2
EPSS 0.1621
EPSS Percentile 96.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2019-12-13
InTheWild.io 2019-12-13
CWE
CWE-78
Status published
Products (1)
technicolor/td5130v2_firmware oi_fw_v20
Published Oct 31, 2019
Tracked Since Feb 18, 2026