cbcvebase.
CVE-2017-17411
published 2017-12-21

CVE-2017-17411: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Linksys WVBR0. Authentication is not required to exploit…

PriorityP192critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
87.93%
99.7th percentile
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Linksys WVBR0. Authentication is not required to exploit this vulnerability. The specific flaw exists within the web management portal. The issue lies in the lack of proper validation of user data before executing a system call. An attacker could leverage this vulnerability to execute code with root privileges. Was ZDI-CAN-4892.

Affected

2 ranges
VendorProductVersion rangeFixed in
linksyslinksys_wvbr0
linksyswvbr0_firmware< 1.0.411.0.41

Detection & IOCsextracted from sources · hover to see the quote

ua"; echo "admin
command"; printf "#{check_str}
command"; echo #{beg_boundary}; #{payload.encoded} #
command"; #{payload.encoded} #
  • Detect CVE-2017-17411 exploitation by inspecting HTTP User-Agent headers for shell metacharacters, specifically a leading double-quote followed by a semicolon (e.g., `";`), which is the injection delimiter used in all known exploits against the Linksys WVBR0-25 web management portal.
  • Alert on HTTP GET requests to the root URI `/` of Linksys WVBR0-25 devices where the User-Agent header contains shell injection patterns such as `";` or `" #` (comment terminator), as used by both the standalone PoC and the Metasploit module.
  • The Metasploit check phase injects a random 8-character alpha string via User-Agent and looks for its MD5 hash in the response body (`res.body.to_s.include?(Rex::Text.md5(check_str))`). Detecting an MD5 hex string in the HTTP response body of a device management page is a strong indicator of successful exploitation.
  • Shodan/internet-scan pivot: devices exposing the string `Vendor:LINKSYS ModelName:WVBR0-25-US` are the target population for this vulnerability and can be used to scope detection or hunting.
  • The vulnerable code path surfaces injected commands inside the response body under the key `config.webui sys_cmd`. Monitor or log responses from the device management portal for this string as evidence of active exploitation.
  • ·The vulnerability only affects Linksys WVBR0-25 firmware versions below 1.0.41 of the web management portal. Devices running 1.0.41 or later are not affected.
  • ·No authentication is required to exploit this vulnerability; the injection endpoint is exposed on the unauthenticated web management portal, meaning network-level access alone is sufficient for exploitation.
  • ·Successful exploitation yields code execution with root privileges, making post-exploitation impact maximal on affected devices.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.