First published: Mon Nov 27 2017(Updated: )
TP-Link TL-WVR, TL-WAR, TL-ER, and TL-R devices allow remote authenticated users to execute arbitrary commands via shell metacharacters in the iface field of an admin/diagnostic command to cgi-bin/luci, related to the zone_get_effect_devices function in /usr/lib/lua/luci/controller/admin/diagnostic.lua in uhttpd.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
TP-Link WVR300 Firmware | ||
TP-Link TL-WVR300 Firmware | ||
TP-Link WVR302 Firmware | ||
TP-Link WVR302 | ||
Tp-link Wvr450l Firmware | ||
TP-Link WVR450 | ||
Tp-link Wvr450l Firmware | ||
TP-Link WVR450L | ||
TP-Link TL-WVR450G Firmware | ||
TP-Link TL-WVR450G Firmware | ||
TP-Link TL-WVR458L Firmware | ||
TP-Link TL-WVR458L Firmware | ||
TP-Link TL-WVR458L | ||
TP-Link TL-WVR458L Firmware | ||
TP-Link TL-WVR458P Firmware | ||
TP-Link TL-WVR458P Firmware | ||
TP-Link WVR900G Firmware | ||
TP-Link WVR900G | ||
TP-Link WVR900L Firmware | ||
TP-Link WVR900L Firmware | ||
TP-Link TL-WVR1200L | ||
TP-Link TL-WVR1200L Firmware | ||
TP-Link WVR1300L Firmware | ||
TP-Link WVR1300L | ||
TP-Link TL-WVR1300G | ||
TP-Link TL-WAR1300G | ||
TP-Link TL-WVR1750L Firmware | ||
TP-Link WVR1750L | ||
Tp-link War2600l Firmware | ||
TP-Link WVR2600L | ||
TP-Link WVR4300L Firmware | ||
TP-Link WVR4300L Firmware | ||
TP-Link WAR302 | ||
TP-Link WAR302 | ||
TP-Link TL-WAR450 | ||
TP-Link WAR450 | ||
TP-Link WR450L Firmware | ||
TP-Link TL-WAR450L Firmware | ||
TP-Link WAR458L | ||
TP-Link WAR458 | ||
TP-Link WAR458L Firmware | ||
TP-Link WAR458L | ||
TP-Link WDR900L Firmware | ||
TP-Link WAR900L | ||
TP-Link TL-WAR1200L Firmware | ||
TP-Link TL-WAR1200L Firmware | ||
TP-Link WAR1300L Firmware | ||
TP-Link WAR1300L | ||
TP-Link WAR1750L Firmware | ||
TP-Link WAR1750L Firmware | ||
TP-Link Archer WAR2600L | ||
TP-Link TL-ER3210G | ||
TP-Link TL-ER3210G Firmware | ||
TP-Link TL-ER3220G Firmware | ||
TP-Link TL-ER3220G Firmware | ||
TP-Link ER5110G Firmware | ||
TP-Link ER5110G Firmware | ||
TP-Link TL-ER5120G | ||
TP-Link TL-ER5120G Firmware | ||
TP-Link TL-ER5510G Firmware | ||
TP-Link TL-ER5510G Firmware | ||
TP-Link TL-ER5520G Firmware | ||
TP-Link TL-ER5520G Firmware | ||
TP-Link TL-ER6110G Firmware | ||
TP-Link TL-ER6110G Firmware | ||
TP-Link TL-ER6120G | ||
TP-Link TL-ER6120G Firmware | ||
TP-Link TL-ER6220G | ||
TP-Link TL-ER6220G | ||
TP-Link TL-ER6510G | ||
Tp-link Tl-er6510g Firmware | ||
TP-Link TL-ER6520G | ||
TP-Link TL-ER6520G Firmware | ||
TP-Link TL-ER7520G Firmware | ||
TP-Link TL-ER7520G Firmware | ||
Tp-link R473g Firmware | ||
TP-LINK R473 | ||
TP-Link R473G Firmware | ||
TP-LINK R473 | ||
TP-Link TL-R473P-AC | ||
TP-Link R473P-AC | ||
TP-Link TL-R479GP-AC Firmware | ||
TP-Link TL-R473GP-AC Firmware | ||
TP-Link TL-R478 Firmware | ||
TP-Link TL-R478 Firmware | ||
TP-Link TL-R478+ Firmware | ||
TP-Link TL-R478+ | ||
TP-Link R478+ | ||
TP-Link TL-R478G Firmware | ||
Tp-link Tl-r478g+ Firmware | ||
TP-Link TL-R478G+ | ||
TP-Link TL-R479P-AC | ||
TP-Link TL-R479P-AC Firmware | ||
TP-Link TL-R479GP-AC Firmware | ||
TP-Link TL-R479GP-AC Firmware | ||
TP-Link TL-R479GPE-AC Firmware | ||
TP-Link TL-R483 | ||
TP-Link TL-R483 Firmware | ||
Tp-link R483g Firmware | ||
Tp-link R483g Firmware | ||
TP-Link TL-R488 | ||
TP-Link TL-R488 Firmware | ||
TP-Link TL-R4149G | ||
TP-Link R4149G | ||
TP-LINK TL-R4239G | ||
TP-Link TL-R4239G Firmware | ||
Tp-link R4299g Firmware | ||
Tp-link R4299g Firmware |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2017-16957 is considered a high-severity vulnerability as it allows remote authenticated users to execute arbitrary commands on affected TP-Link devices.
To fix CVE-2017-16957, ensure that your TP-Link devices are updated with the latest firmware that addresses this vulnerability.
CVE-2017-16957 affects various TP-Link devices, including the TL-WVR, TL-WAR, TL-ER, and TL-R series models.
CVE-2017-16957 exploits the vulnerability through shell metacharacters in the iface field of an admin diagnostic command via CGI.
The potential consequences of CVE-2017-16957 include unauthorized command execution, leading to data breaches and system compromise.