CVE-2023-36498

Name of the Vulnerable Software and Affected Versions Tp-Link ER7206 Omada Gigabit VPN Router version 1.3.0 build 20230322 Rel.70591

Description A post-authentication command injection vulnerability exists in the PPTP client functionality. A specially crafted HTTP request can lead to arbitrary command injection. An attacker can make an authenticated HTTP request to trigger this vulnerability and gain access to an unrestricted shell. The vulnerability can be exploited by sending a crafted request to port 80/443, allowing a remote attacker to execute arbitrary commands.

Recommendations For Tp-Link ER7206 Omada Gigabit VPN Router version 1.3.0 build 20230322 Rel.70591, consider disabling the PPTP client functionality until a patch is available to prevent exploitation. Restrict access to port 80/443 to minimize the risk of exploitation. Avoid using the PPTP client functionality in the affected router until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.