cbcvebase.
CVE-2018-3949
published 2018-12-01

CVE-2018-3949: An exploitable information disclosure vulnerability exists in the HTTP server functionality of the TP-Link TL-R600VPN. A specially crafted URL can cause a…

PriorityP278high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWVulnCheck KEV
Exploited in the wild
EPSS
53.30%
98.9th percentile
An exploitable information disclosure vulnerability exists in the HTTP server functionality of the TP-Link TL-R600VPN. A specially crafted URL can cause a directory traversal, resulting in the disclosure of sensitive system files. An attacker can send either an unauthenticated or an authenticated web request to trigger this vulnerability.

Affected

3 ranges
VendorProductVersion rangeFixed in
talostp-link
tp-linktl-r600vpn_firmware
tp-linktl-r600vpn_firmware

Detection & IOCsextracted from sources · hover to see the quote

snort
47037
snort
47039-47040
snort
47062
  • Directory traversal using 'help' as the base page does not require authentication and can read any file on the system — monitor HTTP requests to /help/ containing traversal sequences (e.g., ../) without session cookies.
  • The vulnerability is exploitable both with and without authentication — detection rules should not rely solely on session/auth state to filter traffic.
  • Traversal attempts targeting the following URL base paths are relevant to CVE-2018-3948/3949: help, images, frames, dynaform, localization.
  • ·All vulnerabilities (including CVE-2018-3949) were confirmed on HWv3 FRNv1.3.0 and HWv2 FRNv1.2.3; TALOS-2018-0620 (CVE-2018-3951) was found only on HWv3 FRNv1.3.0.
  • ·The HTTPD process runs as root, meaning successful exploitation of any of these vulnerabilities yields root-level code execution.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.