Floragasse 7 – 5th floor, 1040 Vienna
Subscribe to our Newsletter

News

SBA Security Advisory – Teltonika RUT9XX – Reflected Cross-Site Scripting (XSS) (CVE-2018-17532)

Vulnerability Overview

Teltonika RUT9XX routers with firmware before 00.04.233 are prone to multiple unauthenticated OS command injection vulnerabilities in autologin.cgi and hotspotlogin.cgi due to insufficient user input sanitization. This allows remote attackers to execute arbitrary commands with root privileges.

  • Type of Vulnerability: OS Command Injection
  • Fixed in Version: RUT9XX_R_00.05.01.1
  • CVE ID: CVE-2018-17532
  • CVSSv3 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • CVSSv3 Base Score: 9.8 (Critical)

Recommended Countermeasure

We recommend to update Teltonika RUT9XX routers to version RUT9XX_R_00.05.01.1 or later. For further details, see the full security advisory.

Links

Full Security Advisory

Credits