CVE-2018-17208

Name of the Vulnerable Software and Affected Versions Linksys Velop version 1.1.2.187020

Description The issue allows unauthenticated command injection, providing an attacker with full root access. This can be achieved via the "cgi-bin/zbtest.cgi" or "cgi-bin/zbtest2.cgi" API endpoints. The vulnerability occurs because shell metacharacters in the query string are mishandled by the ShellExecute function. For example, the zbtest.cgi?cmd=level&level= substring demonstrates this mishandling. Additionally, this issue can be exploited via CSRF.

Recommendations For Linksys Velop version 1.1.2.187020, as a temporary workaround, consider restricting access to the "cgi-bin/zbtest.cgi" and "cgi-bin/zbtest2.cgi" API endpoints to minimize the risk of exploitation. Avoid using the cmd and level variables in the query string of the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.