Strix
26.1K

CVE-2017-16960

UnknownEPSS 2.36%

Last modified

CVE-2017-16960 is a vulnerability of currently unknown severity. TP-Link TL-WVR, TL-WAR, TL-ER, and TL-R devices allow remote authenticated users to execute arbitrary commands via shell metacharacters in the t_bindif field of an admin/interface command to cgi-bin/luci, related to the get_device_byif function in /usr/lib/lua/luci/controller/admin/interface.lua in uhttpd.. EPSS estimates a 2.36% chance of exploitation in the next 30 days.

Description

TP-Link TL-WVR, TL-WAR, TL-ER, and TL-R devices allow remote authenticated users to execute arbitrary commands via shell metacharacters in the t_bindif field of an admin/interface command to cgi-bin/luci, related to the get_device_byif function in /usr/lib/lua/luci/controller/admin/interface.lua in uhttpd.

Metrics

EPSS Probability
2.36%

81.6th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
Tp-LinkTl-Er5510gv2
Tp-LinkTl-Er5510gv3
Tp-LinkTl-Er5520gv2
Tp-LinkTl-Er5520gv3
Tp-LinkTl-Er6120gv2
Tp-LinkTl-Er6520gv2
Tp-LinkTl-Er6520gv3
Tp-LinkTl-R4239gv2
Tp-LinkTl-R4299gv2
Tp-LinkTl-R473v5
Tp-LinkTl-R478v6
Tp-LinkTl-R478\+v7
Tp-LinkTl-R478g\+v3
Tp-LinkTl-R483v5
Tp-LinkTl-R483gv2
Tp-LinkTl-R488v5
Tp-LinkTl-Wvr300v4
Tp-LinkTl-Wvr302v2
Tp-LinkTl-Wvr450gv5
Tp-LinkTl-Wvr900gv3
Tp-LinkTl-Wvr450 FirmwareAll versions
Tp-LinkTl-Wvr450l FirmwareAll versions
Tp-LinkTl-Wvr458 FirmwareAll versions
Tp-LinkTl-Wvr458l FirmwareAll versions
Tp-LinkTl-Wvr458p FirmwareAll versions
Tp-LinkTl-Wvr900l FirmwareAll versions
Tp-LinkTl-Wvr1200l FirmwareAll versions
Tp-LinkTl-Wvr1300l FirmwareAll versions
Tp-LinkTl-Wvr1300g FirmwareAll versions
Tp-LinkTl-Wvr1750l FirmwareAll versions
Tp-LinkTl-Wvr2600l FirmwareAll versions
Tp-LinkTl-Wvr4300l FirmwareAll versions
Tp-LinkTl-War302 FirmwareAll versions
Tp-LinkTl-War450 FirmwareAll versions
Tp-LinkTl-War450l FirmwareAll versions
Tp-LinkTl-War458 FirmwareAll versions
Tp-LinkTl-War458l FirmwareAll versions
Tp-LinkTl-War900l FirmwareAll versions
Tp-LinkTl-War1200l FirmwareAll versions
Tp-LinkTl-War1300l FirmwareAll versions
Tp-LinkTl-War1750l FirmwareAll versions
Tp-LinkTl-War2600l FirmwareAll versions
Tp-LinkTl-Er3210g FirmwareAll versions
Tp-LinkTl-Er3220g FirmwareAll versions
Tp-LinkTl-Er5110g FirmwareAll versions
Tp-LinkTl-Er5120g FirmwareAll versions
Tp-LinkTl-Er6110g FirmwareAll versions
Tp-LinkTl-Er6220g FirmwareAll versions
Tp-LinkTl-Er6510g FirmwareAll versions
Tp-LinkTl-Er7520g FirmwareAll versions

Showing 50 of 58 affected configurations. See NVD for the full list.

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2017-16960?
TP-Link TL-WVR, TL-WAR, TL-ER, and TL-R devices allow remote authenticated users to execute arbitrary commands via shell metacharacters in the t_bindif field of an admin/interface command to cgi-bin/luci, related to the get_device_byif function in /usr/lib/lua/luci/controller/admin/interface.lua in uhttpd.
How severe is CVE-2017-16960?
Severity scoring for CVE-2017-16960 is pending analysis. The EPSS model estimates a 2.36% probability of exploitation in the next 30 days.
How do I fix CVE-2017-16960?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2017-16960?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST