PT-2017-18223 · Tp Link · Tp-Link C2+1
Pierre Kim
·
Published
2017-04-25
·
Updated
2019-10-03
·
CVE-2017-8220
CVSS v3.1
9.9
Critical
| Vector | AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
TP-Link C2 and C20i devices through firmware 0.9.1 4.2 v0032.0 Build 160706 Rel.37961n
Description
The issue allows remote code execution with a single HTTP request. This can be achieved by placing shell commands in a
host= line within HTTP POST data.Recommendations
For TP-Link C2 and C20i devices through firmware 0.9.1 4.2 v0032.0 Build 160706 Rel.37961n, consider restricting access to the HTTP POST endpoint to minimize the risk of exploitation. As a temporary workaround, avoid using the
host parameter in HTTP POST requests until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.Exploit
OS Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Tp-Link C2
Tp-Link C20I