CVE-2019-18396

EPSS 16.2%

An issue was discovered in certain Oi third-party firmware that may be installed on Technicolor TD5130v2 devices. A Command Injection in the Ping module in the Web Interface in OI_Fw_V20 allows remote attackers to execute arbitrary OS commands in the pingAddr parameter to mnt_ping.cgi. NOTE: This may overlap CVE-2017–14127.

Affected products

n/a · n/a

public PoCs found — 2

cve_referencepacketstormsecurity.com/files/155296/Technicolor-TD5130.2-Remote-Command-Execution.htmlunverified exploitdbwww.exploit-db.com/exploits/47651unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

http://packetstormsecurity.com/files/155296/Technicolor-TD5130.2-Remote-Command-Execution.html https://medium.com/%40c4pt41nnn/cve-2019-18396-command-injection-in-technicolor-router-da5dd2134052 https://www.twitter.com/c4pt41nnn