PT-2018-14404 · Asuswrt Merlin · Merlin.Php

Ly55521

Published

2018-10-15

Updated

2024-08-05

CVE-2018-18320

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Merlin.PHP version 0.6.6

Description An issue was discovered in the Merlin.PHP component for Asuswrt-Merlin devices, allowing an attacker to execute arbitrary commands due to a popen call in exec.php. The vendor notes that Merlin.PHP is designed for use on a trusted intranet network and intentionally allows remote code execution.

Recommendations For Merlin.PHP version 0.6.6, consider restricting access to exec.php to minimize the risk of exploitation, as the component is intended for use on a trusted intranet network. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

CVE-2018-18320

Affected Products

Merlin.Php

PT-2018-14404 · Asuswrt Merlin · Merlin.Php

CVE-2018-18320

Related Identifiers

Affected Products

References · 5