CVE-2018-18319
published 2018-10-15CVE-2018-18319: An issue was discovered in the Merlin.PHP component 0.6.6 for Asuswrt-Merlin devices. An attacker can execute arbitrary commands because api.php has an eval…
PriorityP259critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
5.43%
91.7th percentile
An issue was discovered in the Merlin.PHP component 0.6.6 for Asuswrt-Merlin devices. An attacker can execute arbitrary commands because api.php has an eval call, as demonstrated by the /6/api.php?function=command&class=remote&Cc='ls' URI. NOTE: the vendor indicates that Merlin.PHP is designed only for use on a trusted intranet network, and intentionally allows remote code execution
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| asuswrt-merlin_project | rt-ac1900_firmware | <= 380.70 | — |
| asuswrt-merlin_project | rt-ac2900_firmware | <= 380.70 | — |
| asuswrt-merlin_project | rt-ac3100_firmware | <= 380.70 | — |
| asuswrt-merlin_project | rt-ac3200_firmware | <= 380.70 | — |
| asuswrt-merlin_project | rt-ac5300_firmware | <= 380.70 | — |
| asuswrt-merlin_project | rt-ac56u_firmware | <= 380.70 | — |
| asuswrt-merlin_project | rt-ac66u_b1_firmware | <= 380.70 | — |
| asuswrt-merlin_project | rt-ac68p_firmware | <= 380.70 | — |
| asuswrt-merlin_project | rt-ac68u_firmware | <= 380.70 | — |
| asuswrt-merlin_project | rt-ac68uf_firmware | <= 380.70 | — |
| asuswrt-merlin_project | rt-ac86u_firmware | <= 380.70 | — |
| asuswrt-merlin_project | rt-ac87_firmware | <= 380.70 | — |
| asuswrt-merlin_project | rt-ac88u_firmware | <= 380.70 | — |
| asuswrt-merlin_project | rt_ac1900p_firmware | <= 380.70 | — |
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2018-10-15
Published