cbcvebase.
CVE-2018-20841
published 2019-06-11

CVE-2018-20841: HooToo TripMate Titan HT-TM05 and HT-05 routers with firmware 2.000.022 and 2.000.082 allow remote command execution via shell metacharacters in the mac…

PriorityP186critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
47.90%
98.7th percentile
HooToo TripMate Titan HT-TM05 and HT-05 routers with firmware 2.000.022 and 2.000.082 allow remote command execution via shell metacharacters in the mac parameter of a protocol.csp?function=set&fname=security&opt=mac_table request.

Affected

2 ranges
VendorProductVersion rangeFixed in
hootootripmate_titan_ht-tm05_firmware
hootootripmate_titan_ht-tm05_firmware

Detection & IOCsextracted from sources · hover to see the quote

url/protocol.csp?function=set&fname=security&opt=mac_table
snort
alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Hootoo TripMate Attempted Remote Command Injection Outbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/protocol.csp?function="; startswith; fast_pattern; content:"&mac=|7c|"; distance:0; reference:url,unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/; reference:cve,CVE-2018-20841; classtype:attempted-admin; sid:2027460; rev:4; metadata:attack_target IoT, created_at 2019_06_11, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2024_04_13, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)
snort
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Hootoo TripMate Attempted Remote Command Injection Inbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/protocol.csp?function="; startswith; fast_pattern; content:"&mac=|7c|"; distance:0; reference:url,unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/; reference:cve,CVE-2018-20841; classtype:attempted-admin; sid:2027461; rev:4; metadata:attack_target IoT, created_at 2019_06_11, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2024_04_13, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)
bytes
&mac=|7c|
  • Exploit traffic is delivered via HTTP POST to a URI beginning with /protocol.csp?function=; detect by matching both the URI prefix and the pipe-character (0x7c) shell metacharacter immediately following the mac= parameter.
  • The vulnerable parameter is 'mac' in the request body; shell metacharacters (e.g., pipe '|') injected there achieve remote command execution on affected HooToo TripMate devices.
  • ·Affected firmware versions are 2.000.022 and 2.000.082 on HT-TM05 and HT-05 models only; detections should be scoped to these devices where possible to reduce false positives.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.