CVE-2018-17532
published 2018-10-15CVE-2018-17532: Teltonika RUT9XX routers with firmware before 00.04.233 are prone to multiple unauthenticated OS command injection vulnerabilities in autologin.cgi and…
PriorityP190critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
71.33%
99.3th percentile
Teltonika RUT9XX routers with firmware before 00.04.233 are prone to multiple unauthenticated OS command injection vulnerabilities in autologin.cgi and hotspotlogin.cgi due to insufficient user input sanitization. This allows remote attackers to execute arbitrary commands with root privileges.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| teltonika | rut900_firmware | < 00.04.233 | 00.04.233 |
| teltonika | rut950_firmware | < 00.04.233 | 00.04.233 |
| teltonika | rut955_firmware | < 00.04.233 | 00.04.233 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated HTTP POST requests targeting autologin.cgi or hotspotlogin.cgi on Teltonika RUT9XX routers, particularly those injecting OS commands via user-supplied input fields. ↗
- →Look for command injection patterns (e.g., curl, chmod) embedded in HTTP POST request parameters (such as ntp field) targeting CGI endpoints on affected routers. ↗
- →Monitor for new cron job creation on Teltonika RUT9XX devices post-exploitation, as the botnet achieves persistence via cron jobs. ↗
- →Detect Mirai variant binaries using XOR and ChaCha20 encryption targeting multiple architectures (x86, ARM, MIPS), which distinguishes this variant from classic Mirai string obfuscation. ↗
- →Refer to Akamai's published YARA rules and IoC list for detecting and blocking this Mirai-based botnet campaign exploiting CVE-2018-17532. ↗
- ·CVE-2018-17532 only affects Teltonika RUT9XX routers running firmware versions prior to 00.04.233; devices on 00.04.233 or later are not vulnerable. ↗
- ·This CVE is being actively chained with CVE-2023-1389 (TP-Link) and an unpatched DigiEver NVR RCE in the same Mirai-based botnet campaign, so detections should account for multi-CVE exploitation in the same campaign. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-9936-24wm-39mx: Teltonika RUT9XX routers with firmware before 00
ghsa_unreviewed·2022-05-14
CVE-2018-17532 [CRITICAL] CWE-78 GHSA-9936-24wm-39mx: Teltonika RUT9XX routers with firmware before 00
Teltonika RUT9XX routers with firmware before 00.04.233 are prone to multiple unauthenticated OS command injection vulnerabilities in autologin.cgi and hotspotlogin.cgi due to insufficient user input sanitization. This allows remote attackers to execute arbitrary commands with root privileges.
VulnCheck
teltonika rut900_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2018·CVSS 9.8
CVE-2018-17532 [CRITICAL] teltonika rut900_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
teltonika rut900_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Teltonika RUT9XX routers with firmware before 00.04.233 are prone to multiple unauthenticated OS command injection vulnerabilities in autologin.cgi and hotspotlogin.cgi due to insufficient user input sanitization. This allows remote attackers to execute arbitrary commands with root privileges.
Affected: teltonika rut900_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-12-31&host_type=src&vulnerability=cve-2018-17532; https://dashboard.shadowserver.org
No detection rules found.
No public exploits indexed.
Bleepingcomputer
New Aquabotv3 botnet malware targets Mitel command injection flaw
blogs_bleepingcomputer·2025-01-29·CVSS 7.2
CVE-2024-41710 [HIGH] New Aquabotv3 botnet malware targets Mitel command injection flaw
## New Aquabotv3 botnet malware targets Mitel command injection flaw
## Bill Toulas
A new variant of the Mirai-based botnet malware Aquabot has been observed actively exploiting CVE-2024-41710, a command injection vulnerability in Mitel SIP phones.
The activity was discovered by Akamai's Security Intelligence and Response Team (SIRT), who reports that this is the third variant of Aquabot that falls under their radar.
The malware family was introduced in 2023, and a second version that added persistence mechanisms was released later. The third variant, 'Aquabotv3,' introduced a system that detects termination signals and sends the info to the command-and-control (C2) server.
Akamai comments that Aquabotv3's mechanism to report back kill attempts is unusual for botnets and may have been
Bleepingcomputer
New botnet exploits vulnerabilities in NVRs, TP-Link routers
blogs_bleepingcomputer·2024-12-24·CVSS 9.8
[CRITICAL] New botnet exploits vulnerabilities in NVRs, TP-Link routers
## New botnet exploits vulnerabilities in NVRs, TP-Link routers
## Bill Toulas
A new Mirai-based botnetis actively exploiting a remote code execution vulnerability that has not received a tracker number and appears to be unpatched in DigiEver DS-2105 Pro NVRs.
The campaign started in October and targets multiple network video recorders and TP-Link routers with outdated firmware.
One of the vulnerabilities used in the campaign was documented by TXOne researcher Ta-Lun Yen and presented last year at the DefCamp security conference in Bucharest, Romania. The researcher said at the time that the issue affects multiple DVR devices.
Akamai researchers observed that the botnet started to exploit the flaw in mid-November, but found evidence that the campaign has been active since at least Sep
Greynoiseio
NoiseLetter October 2024
blogs_greynoiseio
NoiseLetter October 2024
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
http://packetstormsecurity.com/files/149777/Teltonika-RUT9XX-Unauthenticated-OS-Command-Injection.htmlhttp://seclists.org/fulldisclosure/2018/Oct/27https://github.com/sbaresearch/advisories/tree/public/2018/SBA-ADV-20180319-01_Teltonika_OS_Command_Injectionhttp://packetstormsecurity.com/files/149777/Teltonika-RUT9XX-Unauthenticated-OS-Command-Injection.htmlhttp://seclists.org/fulldisclosure/2018/Oct/27https://github.com/sbaresearch/advisories/tree/public/2018/SBA-ADV-20180319-01_Teltonika_OS_Command_Injection
2018-10-15
Published
Exploited in the wild