CVE-2018-3949
published 2018-12-01CVE-2018-3949: An exploitable information disclosure vulnerability exists in the HTTP server functionality of the TP-Link TL-R600VPN. A specially crafted URL can cause a…
PriorityP278high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWVulnCheck KEV
Exploited in the wild
EPSS
53.30%
98.9th percentile
An exploitable information disclosure vulnerability exists in the HTTP server functionality of the TP-Link TL-R600VPN. A specially crafted URL can cause a directory traversal, resulting in the disclosure of sensitive system files. An attacker can send either an unauthenticated or an authenticated web request to trigger this vulnerability.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| talos | tp-link | — | — |
| tp-link | tl-r600vpn_firmware | — | — |
| tp-link | tl-r600vpn_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort↗
47037
snort↗
47039-47040
snort↗
47062
- →Directory traversal using 'help' as the base page does not require authentication and can read any file on the system — monitor HTTP requests to /help/ containing traversal sequences (e.g., ../) without session cookies. ↗
- →The vulnerability is exploitable both with and without authentication — detection rules should not rely solely on session/auth state to filter traffic. ↗
- →Traversal attempts targeting the following URL base paths are relevant to CVE-2018-3948/3949: help, images, frames, dynaform, localization. ↗
- ·All vulnerabilities (including CVE-2018-3949) were confirmed on HWv3 FRNv1.3.0 and HWv2 FRNv1.2.3; TALOS-2018-0620 (CVE-2018-3951) was found only on HWv3 FRNv1.3.0. ↗
- ·The HTTPD process runs as root, meaning successful exploitation of any of these vulnerabilities yields root-level code execution. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-x5wc-6mvj-2wxv: An exploitable information disclosure vulnerability exists in the HTTP server functionality of the TP-Link TL-R600VPN
ghsa_unreviewed·2022-05-13
CVE-2018-3949 [HIGH] CWE-22 GHSA-x5wc-6mvj-2wxv: An exploitable information disclosure vulnerability exists in the HTTP server functionality of the TP-Link TL-R600VPN
An exploitable information disclosure vulnerability exists in the HTTP server functionality of the TP-Link TL-R600VPN. A specially crafted URL can cause a directory traversal, resulting in the disclosure of sensitive system files. An attacker can send either an unauthenticated or an authenticated web request to trigger this vulnerability.
VulnCheck
TP-Link tl-r600vpn_firmware Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulncheck·2018·CVSS 7.5
CVE-2018-3949 [HIGH] TP-Link tl-r600vpn_firmware Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
TP-Link tl-r600vpn_firmware Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
An exploitable information disclosure vulnerability exists in the HTTP server functionality of the TP-Link TL-R600VPN. A specially crafted URL can cause a directory traversal, resulting in the disclosure of sensitive system files. An attacker can send either an unauthenticated or an authenticated web request to trigger this vulnerability.
Affected: TP-Link tl-r600vpn_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://blog.checkpoint.com/security/december-2021s-most-wanted-malware-trickbot-emotet-and-the-log4j-plague/; https://blog.check
No detection rules found.
No public exploits indexed.
Talos
The many vulnerabilities Talos discovered in SOHO and industrial wireless routers post-VPNFilter
blogs_talos·2023-08-02
The many vulnerabilities Talos discovered in SOHO and industrial wireless routers post-VPNFilter
## The many vulnerabilities Talos discovered in SOHO and industrial wireless routers post-VPNFilter
Since the discovery of the widespread VPNFilter malware in 2018 , Cisco Talos researchers have been researching vulnerabilities in small and home office (SOHO) and industrial routers.
During that research, Talos has worked with vendors to report and mitigate these vulnerabilities, totaling 141 advisories covering 289 CVEs across multiple routers.
Talos is highlighting some of the major issues our researchers discovered over the past several years, including vulnerabilities that an attacker could mostly directly access or those an adversary could chain together to gain elevated access to the devices.
There are several Snort rules that can detect possible exploitation of the vulnerabilitie
Talos
The many vulnerabilities Talos discovered in SOHO and industrial wireless routers post-VPNFilter
blogs_talos·2023-08-02
The many vulnerabilities Talos discovered in SOHO and industrial wireless routers post-VPNFilter
- Since the discovery of the widespread VPNFilter malware in 2018, Cisco Talos researchers have been researching vulnerabilities in small and home office (SOHO) and industrial routers.
- During that research, Talos has worked with vendors to report and mitigate these vulnerabilities, totaling 141 advisories covering 289 CVEs across multiple routers.
- Talos is highlighting some of the major issues our researchers discovered over the past several years, including vulnerabilities that an attacker could mostly directly access or those an adversary could chain together to gain elevated access to the devices.
- There are several Snort rules that can detect possible exploitation of the vulnerabilities included in this post.
Small office/home office (SOHO) routers and small-scale industrial rout
Talos
Vulnerability Spotlight: Multiple remote vulnerabilities in TP-Link TL-R600VPN
blogs_talos·2018-11-19·CVSS 7.5
[HIGH] Vulnerability Spotlight: Multiple remote vulnerabilities in TP-Link TL-R600VPN
Vulnerabilities discovered by Carl Hurd and Jared Rittle of Cisco Talos.
Cisco Talos is disclosing multiple vulnerabilities in the TP-Link TL-R600VPN router. TP-Link produces a number of different types of small and home office (SOHO) routers. Talos discovered several bugs in this particular router model that could lead to remote code execution.
## Overview
There are two root causes of the vulnerabilities: a lack of input sanitisation and parsing errors. The lack of proper input sanitisation leads the vulnerabilities TALOS-2018-0617/18, which can be exploited without authentication. Parsing errors are responsible for the vulnerabilities TALOS-2018-0619/20. However, these can only be exploited with an authenticated session. The remote code execution is done under the context of HTTPD How
Talos
Vulnerability Spotlight: Multiple remote vulnerabilities in TP-Link TL-R600VPN
blogs_talos·2018-11-19·CVSS 7.5
[HIGH] Vulnerability Spotlight: Multiple remote vulnerabilities in TP-Link TL-R600VPN
## Vulnerability Spotlight: Multiple remote vulnerabilities in TP-Link TL-R600VPN
Vulnerabilities discovered by Carl Hurd and Jared Rittle of Cisco Talos. Cisco Talos is disclosing multiple vulnerabilities in the TP-Link TL-R600VPN router. TP-Link produces a number of different types of small and home office (SOHO) routers. Talos discovered several bugs in this particular router model that could lead to remote code execution.
## Overview
There are two root causes of the vulnerabilities: a lack of input sanitisation and parsing errors. The lack of proper input sanitisation leads the vulnerabilities TALOS-2018-0617/18, which can be exploited without authentication. Parsing errors are responsible for the vulnerabilities TALOS-2018-0619/20. However, these can only be exploited with an authe
2018-12-01
Published
Exploited in the wild