CVE-2023-47167

Name of the Vulnerable Software and Affected Versions Tp-Link ER7206 Omada Gigabit VPN Router version 1.3.0 build 20230322 Rel.70591

Description A post authentication command injection issue exists in the GRE policy functionality. This can be exploited by sending a specially crafted HTTP request, potentially allowing a remote attacker to execute arbitrary commands. The issue is related to the web server uHTTPd and can be triggered through ports 80/443.

Recommendations For Tp-Link ER7206 Omada Gigabit VPN Router version 1.3.0 build 20230322 Rel.70591, consider restricting access to the GRE policy functionality until a patch is available. As a temporary workaround, limit the use of HTTP requests to trusted sources to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.