SB2019040101 - Remote command execution in TP-Link SR20 Smart Home Router

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2019040101

SB2019040101 - Remote command execution in TP-Link SR20 Smart Home Router

Published: April 1, 2019

Security Bulletin ID SB2019040101
Severity
Medium
Patch available
NO
Number of vulnerabilities 1
Exploitation vector Adjecent network
Highest impact Code execution

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 1 security vulnerability.


1) OS Command Injection (CVE-ID: N/A)

The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.

The vulnerability exists due to incorrect filtration of user-supplied input and absent authentication when processing TFPT requests . A remote unauthenticated attacker can send a specially crafted TFPT request to upload a file and an OS command to execute arbitrary command with root privileges on the affected device.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


Remediation

Cybersecurity Help is not aware of any official remediation provided by the vendor.

References