CVE-2018-18319

high-risk

Published 2018-10-15

An issue was discovered in the Merlin.PHP component 0.6.6 for Asuswrt-Merlin devices. An attacker can execute arbitrary commands because api.php has an eval call, as demonstrated by the /6/api.php?function=command&class=remote&Cc='ls' URI. NOTE: the vendor indicates that Merlin.PHP is designed only for use on a trusted intranet network, and intentionally allows remote code execution

Do I need to act?

13.3% chance of exploitation in next 30 days

EPSS score — higher than 87% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 9.8/10 Critical

NETWORK / LOW complexity

Affected Products (14)

Rt-Ac5300 Firmware

Rt Ac1900P Firmware

Rt-Ac68U Firmware

Rt-Ac68P Firmware

Rt-Ac88U Firmware

Rt-Ac66U B1 Firmware

Rt-Ac56U Firmware

Rt-Ac3200 Firmware

Rt-Ac68Uf Firmware

Rt-Ac87 Firmware

Rt-Ac3100 Firmware

Rt-Ac1900 Firmware

Rt-Ac86U Firmware

Rt-Ac2900 Firmware

Affected Vendors

Asuswrt-Merlin Project

References (4)

Exploit http://blog.51cto.com/010bjsoft/2298902

Exploit https://github.com/qoli/Merlin.PHP/issues/27

Exploit http://blog.51cto.com/010bjsoft/2298902

Exploit https://github.com/qoli/Merlin.PHP/issues/27

/ 100

high-risk

Severity 32/34 · Critical

Exploitability 12/34 · Low

Exposure 18/34 · Moderate