⚠ Exploited in the wild
Exploitation observed in the wild. Not yet on CISA KEV.

CVE-2018-13307

CWE-78OS Command Injection4 documents4 sources
Severity
9.8CRITICAL
EPSS
15.3%
top 5.37%
CISA KEV
Not in KEV
Exploit
Exploited in wild
Active exploitation observed
Affected products
1
Totolink A3002ru Firmware
Timeline
PublishedNov 27
Latest updateMay 13

Description

System command injection in fromNtp in TOTOLINK A3002RU version 1.0.8 allows attackers to execute system commands via the "ntpServerIp2" POST parameter. Certain payloads cause the device to become permanently inoperable.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages1 packages

🔴Vulnerability Details

3
GHSA
GHSA-g57p-jjjg-vp93: System command injection in fromNtp in TOTOLINK A3002RU version 12022-05-13
CVEList
CVE-2018-13307: System command injection in fromNtp in TOTOLINK A3002RU version 12018-11-27
VulnCheck
totolink a3002ru Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')2018
CVE-2018-13307 (CRITICAL CVSS 9.8) | System command injection in fromNtp | cvebase.io