Command Injection Vulnerability in Linksys Velop Devices
CVE-2018-17208

8.8HIGH

Key Information:

Vendor: Linksys
Status: Velop Firmware
Vendor: CVE Published:; 19 September 2018

What is CVE-2018-17208?

Linksys Velop devices running firmware version 1.1.2.187020 are susceptible to a command injection vulnerability due to mishandling of shell metacharacters in the query string of specific scripts such as zbtest.cgi and zbtest2.cgi. An attacker can exploit this flaw to execute arbitrary commands with root privileges on the device, potentially leading to unauthorized access and control. The vulnerability can also be leveraged through cross-site request forgery (CSRF) attacks, further increasing the risk of compromise. Users are advised to update their firmware to mitigate this security threat.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

References

https://langkjaer.com/velop.html

x_refsource_MISC

EPSS Score

16% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability Reserved
Oct 3, 2022
Vulnerability published
Sep 19, 2018

JSON

Linksys

What is CVE-2018-17208?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

References

EPSS Score

CVSS V3.1

Timeline

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.