CVE-2018-3954

Name of the Vulnerable Software and Affected Versions Linksys E1200 versions 2.0.09 and earlier Linksys E2500 versions 3.0.04 and earlier

Description The issue exists due to improper filtering of data passed to and retrieved from NVRAM, allowing for OS command injection. Data entered into the 'Router Name' input field through the web portal is submitted to apply.cgi as the value to the machine name POST parameter. This can be exploited by a remote attacker to execute arbitrary commands.

Recommendations For Linksys E1200 version 2.0.09, update to a newer version to mitigate the risk. For Linksys E2500 version 3.0.04, update to a newer version to mitigate the risk. As a temporary workaround, consider restricting access to the apply.cgi endpoint and limiting input to the machine name parameter to minimize the risk of exploitation.