CVE-2018-18319

Name of the Vulnerable Software and Affected Versions Merlin.PHP version 0.6.6

Description An issue was discovered in the Merlin.PHP component for Asuswrt-Merlin devices, allowing an attacker to execute arbitrary commands. This is due to an eval call in api.php, as demonstrated by the "/6/api.php?function=command&class=remote&Cc='ls'" URI. The vendor indicates that Merlin.PHP is designed only for use on a trusted intranet network and intentionally allows remote code execution.

Recommendations For Merlin.PHP version 0.6.6, consider restricting access to the api.php endpoint to minimize the risk of exploitation, as it intentionally allows remote code execution in trusted intranet networks.