CVE-2019-12272

high-risk
Published 2019-05-23

In OpenWrt LuCI through 0.10, the endpoints admin/status/realtime/bandwidth_status and admin/status/realtime/wireless_status of the web application are affected by a command injection vulnerability.

Do I need to act?

!
37.7% chance of exploitation in next 30 days
EPSS score — higher than 62% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (1)

Luci

Affected Vendors

Openwrt

References (4)

Patch https://github.com/openwrt/luci/commit/9e4b8a91384562e3baee724a52b72e30b1aa006d
Patch https://github.com/openwrt/luci/commits/master
Patch https://github.com/openwrt/luci/commit/9e4b8a91384562e3baee724a52b72e30b1aa006d
Patch https://github.com/openwrt/luci/commits/master
53
/ 100
high-risk
Severity 32/34 · Critical
Exploitability 16/34 · Moderate
Exposure 5/34 · Minimal