CVE-2018-18319

Severity CVSS v4.0:
Pending analysis
Type:
CWE-94 Code Injection
Publication date:
15/10/2018
Last modified:
05/08/2024

Description

An issue was discovered in the Merlin.PHP component 0.6.6 for Asuswrt-Merlin devices. An attacker can execute arbitrary commands because api.php has an eval call, as demonstrated by the /6/api.php?function=command&class=remote&Cc='ls' URI. NOTE: the vendor indicates that Merlin.PHP is designed only for use on a trusted intranet network, and intentionally allows remote code execution

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:asuswrt-merlin_project:rt-ac5300_firmware:*:*:*:*:*:*:*:* 380.70 (including)
cpe:2.3:h:asuswrt-merlin_project:rt-ac5300:-:*:*:*:*:*:*:*
cpe:2.3:o:asuswrt-merlin_project:rt_ac1900p_firmware:*:*:*:*:*:*:*:* 380.70 (including)
cpe:2.3:h:asuswrt-merlin_project:rt_ac1900p_:-:*:*:*:*:*:*:*
cpe:2.3:o:asuswrt-merlin_project:rt-ac68u_firmware:*:*:*:*:*:*:*:* 380.70 (including)
cpe:2.3:h:asuswrt-merlin_project:rt-ac68u:-:*:*:*:*:*:*:*
cpe:2.3:o:asuswrt-merlin_project:rt-ac68p_firmware:*:*:*:*:*:*:*:* 380.70 (including)
cpe:2.3:h:asuswrt-merlin_project:rt-ac68p:-:*:*:*:*:*:*:*
cpe:2.3:o:asuswrt-merlin_project:rt-ac88u_firmware:*:*:*:*:*:*:*:* 380.70 (including)
cpe:2.3:h:asuswrt-merlin_project:rt-ac88u:-:*:*:*:*:*:*:*
cpe:2.3:o:asuswrt-merlin_project:rt-ac66u_b1_firmware:*:*:*:*:*:*:*:* 380.70 (including)
cpe:2.3:h:asuswrt-merlin_project:rt-ac66u_b1:-:*:*:*:*:*:*:*
cpe:2.3:o:asuswrt-merlin_project:rt-ac56u_firmware:*:*:*:*:*:*:*:* 380.70 (including)
cpe:2.3:h:asuswrt-merlin_project:rt-ac56u:-:*:*:*:*:*:*:*
cpe:2.3:o:asuswrt-merlin_project:rt-ac3200_firmware:*:*:*:*:*:*:*:* 380.70 (including)