Vulnerability Details : CVE-2017-8116
The management interface for the Teltonika RUT9XX routers (aka LuCI) with firmware 00.03.265 and earlier allows remote attackers to execute arbitrary commands with root privileges via shell metacharacters in the username parameter in a login request.
Exploit prediction scoring system (EPSS) score for CVE-2017-8116
Probability of exploitation activity in the next 30 days: 1.31%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 84 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2017-8116
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
10.0
|
HIGH | AV:N/AC:L/Au:N/C:C/I:C/A:C |
10.0
|
10.0
|
NIST |
9.8
|
CRITICAL | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2017-8116
-
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.Assigned by: nvd@nist.gov (Primary)
References for CVE-2017-8116
-
https://github.com/nettitude/metasploit-modules/blob/master/teltonika_cmd_exec.rb
metasploit-modules/teltonika_cmd_exec.rb at master · nettitude/metasploit-modules · GitHubExploit;Third Party Advisory
-
https://github.com/nettitude/metasploit-modules/blob/master/teltonika_add_user.rb
metasploit-modules/teltonika_add_user.rb at master · nettitude/metasploit-modules · GitHubExploit;Third Party Advisory
-
https://labs.nettitude.com/blog/cve-2017-8116-teltonika-router-unauthenticated-remote-code-execution/
CVE-2017-8116: Teltonika router unauthenticated remote code execution — Nettitude LabsThird Party Advisory
Products affected by CVE-2017-8116
- cpe:2.3:o:teltonika:rut900_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:teltonika:rut905_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:teltonika:rut950_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:teltonika:rut955_firmware:*:*:*:*:*:*:*:*