CVE-2018-19239

Name of the Vulnerable Software and Affected Versions TRENDnet TEW-673GRU version 1.00b40

Description The issue allows remote attackers to execute arbitrary commands on the device. This is achieved by exploiting an OS command injection vulnerability in the start arpping function of the timer binary. The vulnerability can be triggered by passing malicious input to the dhcpd start, dhcpd end, and lan ipaddr parameters in a POST request to the "apply.cgi" binary.

Recommendations For TRENDnet TEW-673GRU version 1.00b40, as a temporary workaround, consider restricting access to the apply.cgi binary to minimize the risk of exploitation. Avoid using the parameters dhcpd start, dhcpd end, and lan ipaddr in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.