cbcvebase.
CVE-2018-17532
published 2018-10-15

CVE-2018-17532: Teltonika RUT9XX routers with firmware before 00.04.233 are prone to multiple unauthenticated OS command injection vulnerabilities in autologin.cgi and…

PriorityP190critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
71.33%
99.3th percentile
Teltonika RUT9XX routers with firmware before 00.04.233 are prone to multiple unauthenticated OS command injection vulnerabilities in autologin.cgi and hotspotlogin.cgi due to insufficient user input sanitization. This allows remote attackers to execute arbitrary commands with root privileges.

Affected

3 ranges
VendorProductVersion rangeFixed in
teltonikarut900_firmware< 00.04.23300.04.233
teltonikarut950_firmware< 00.04.23300.04.233
teltonikarut955_firmware< 00.04.23300.04.233

Detection & IOCsextracted from sources · hover to see the quote

path/cgi-bin/cgi_main.cgi
pathautologin.cgi
pathhotspotlogin.cgi
  • Detect unauthenticated HTTP POST requests targeting autologin.cgi or hotspotlogin.cgi on Teltonika RUT9XX routers, particularly those injecting OS commands via user-supplied input fields.
  • Look for command injection patterns (e.g., curl, chmod) embedded in HTTP POST request parameters (such as ntp field) targeting CGI endpoints on affected routers.
  • Monitor for new cron job creation on Teltonika RUT9XX devices post-exploitation, as the botnet achieves persistence via cron jobs.
  • Detect Mirai variant binaries using XOR and ChaCha20 encryption targeting multiple architectures (x86, ARM, MIPS), which distinguishes this variant from classic Mirai string obfuscation.
  • Refer to Akamai's published YARA rules and IoC list for detecting and blocking this Mirai-based botnet campaign exploiting CVE-2018-17532.
  • ·CVE-2018-17532 only affects Teltonika RUT9XX routers running firmware versions prior to 00.04.233; devices on 00.04.233 or later are not vulnerable.
  • ·This CVE is being actively chained with CVE-2023-1389 (TP-Link) and an unpatched DigiEver NVR RCE in the same Mirai-based botnet campaign, so detections should account for multi-CVE exploitation in the same campaign.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.