CVE-2018-18320

Name of the Vulnerable Software and Affected Versions Merlin.PHP version 0.6.6

Description An issue was discovered in the Merlin.PHP component for Asuswrt-Merlin devices, allowing an attacker to execute arbitrary commands due to a popen call in exec.php. The vendor notes that Merlin.PHP is designed for use on a trusted intranet network and intentionally allows remote code execution.

Recommendations For Merlin.PHP version 0.6.6, consider restricting access to exec.php to minimize the risk of exploitation, as the component is intended for use on a trusted intranet network. At the moment, there is no information about a newer version that contains a fix for this vulnerability.