What is the severity of CVE-2018-18319?

CVE-2018-18319 has been classified as a high severity vulnerability due to the ability of attackers to execute arbitrary commands on affected devices.

How do I fix CVE-2018-18319?

To mitigate CVE-2018-18319, users should upgrade their Asuswrt-Merlin firmware to the latest version beyond 380.70 where the vulnerability is patched.

Which devices are affected by CVE-2018-18319?

CVE-2018-18319 affects various Asuswrt-Merlin devices running firmware version up to 380.70, including RT-AC5300, RT-AC1900P, RT-AC68U, and several others.

What types of attacks can exploit CVE-2018-18319?

CVE-2018-18319 can be exploited to execute arbitrary commands remotely through unprotected API calls.

Is there a vendor response to CVE-2018-18319?

Yes, the vendor has indicated that the issues related to Merlin.PHP are disputed and users are advised to follow up for the latest guidance.

Vulnerability/
CVE-2018-18319

critical

9.8

CWE

15/10/2018

16/9/2024

CVE-2018-18319: Code Injection

First published: Mon Oct 15 2018(Updated: )

** DISPUTED ** An issue was discovered in the Merlin.PHP component 0.6.6 for Asuswrt-Merlin devices. An attacker can execute arbitrary commands because api.php has an eval call, as demonstrated by the /6/api.php?function=command&class=remote&Cc='ls' URI. NOTE: the vendor indicates that Merlin.PHP is designed only for use on a trusted intranet network, and intentionally allows remote code execution.

Credit: cve@mitre.org

Affected Software	Affected Version	How to fix
Asuswrt-Merlin RT-AC5300 firmware	<=380.70
Asuswrt-Merlin project RT-AC5300 firmware
Asuswrt-Merlin project RT-AC1900P	<=380.70
Asuswrt-Merlin project RT-AC1900P firmware
Asuswrt-Merlin RT-AC68U Firmware	<=380.70
Asuswrt-Merlin RT-AC68U Firmware
Asuswrt-Merlin	<=380.70
Asuswrt-Merlin project RT-AC68P firmware
Asuswrt-Merlin	<=380.70
Asuswrt-Merlin RT-AC88U
Asuswrt-Merlin	<=380.70
Asuswrt-Merlin project
Asuswrt-Merlin	<=380.70
Asuswrt-Merlin project RT-AC56U firmware
Asuswrt-Merlin firmware	<=380.70
Asuswrt-Merlin
Asuswrt-Merlin RT-AC68U Firmware	<=380.70
Asuswrt-Merlin
Asuswrt-Merlin	<=380.70
Asuswrt-Merlin project rt-ac87 firmware
Asuswrt-Merlin RT-AC3100 Firmware	<=380.70
Asuswrt-Merlin
Asuswrt-Merlin	<=380.70
Asuswrt-Merlin for RT-AC1900
Asuswrt-Merlin project	<=380.70
Asuswrt-Merlin project
Asuswrt-Merlin project rt-ac2900	<=380.70
Asuswrt-Merlin
All of
Asuswrt-Merlin RT-AC5300 firmware	<=380.70
Asuswrt-Merlin project RT-AC5300 firmware
All of
Asuswrt-Merlin project RT-AC1900P	<=380.70
Asuswrt-Merlin project RT-AC1900P firmware
All of
Asuswrt-Merlin RT-AC68U Firmware	<=380.70
Asuswrt-Merlin RT-AC68U Firmware
All of
Asuswrt-Merlin	<=380.70
Asuswrt-Merlin project RT-AC68P firmware
All of
Asuswrt-Merlin	<=380.70
Asuswrt-Merlin RT-AC88U
All of
Asuswrt-Merlin	<=380.70
Asuswrt-Merlin project
All of
Asuswrt-Merlin	<=380.70
Asuswrt-Merlin project RT-AC56U firmware
All of
Asuswrt-Merlin firmware	<=380.70
Asuswrt-Merlin
All of
Asuswrt-Merlin RT-AC68U Firmware	<=380.70
Asuswrt-Merlin
All of
Asuswrt-Merlin	<=380.70
Asuswrt-Merlin project rt-ac87 firmware
All of
Asuswrt-Merlin RT-AC3100 Firmware	<=380.70
Asuswrt-Merlin
All of
Asuswrt-Merlin	<=380.70
Asuswrt-Merlin for RT-AC1900
All of
Asuswrt-Merlin project	<=380.70
Asuswrt-Merlin project
All of
Asuswrt-Merlin project rt-ac2900	<=380.70
Asuswrt-Merlin

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2018-18319?
CVE-2018-18319 has been classified as a high severity vulnerability due to the ability of attackers to execute arbitrary commands on affected devices.
How do I fix CVE-2018-18319?
To mitigate CVE-2018-18319, users should upgrade their Asuswrt-Merlin firmware to the latest version beyond 380.70 where the vulnerability is patched.
Which devices are affected by CVE-2018-18319?
CVE-2018-18319 affects various Asuswrt-Merlin devices running firmware version up to 380.70, including RT-AC5300, RT-AC1900P, RT-AC68U, and several others.
What types of attacks can exploit CVE-2018-18319?
CVE-2018-18319 can be exploited to execute arbitrary commands remotely through unprotected API calls.
Is there a vendor response to CVE-2018-18319?
Yes, the vendor has indicated that the issues related to Merlin.PHP are disputed and users are advised to follow up for the latest guidance.

agent/references
agent/type
agent/severity
agent/weakness
agent/status
agent/description
collector/mitre-cve
source/MITRE
agent/last-modified-date
agent/first-publish-date
agent/event
agent/source
agent/author
agent/softwarecombine
agent/tags
collector/nvd-index
agent/software-canonical-lookup-request
collector/nvd-api
source/NVD
agent/software-canonical-lookup
status/disputed
vendor/asuswrt-merlin project
canonical/asuswrt-merlin rt-ac5300 firmware
version/asuswrt-merlin rt-ac5300 firmware/380.70
canonical/asuswrt-merlin project rt-ac5300 firmware
canonical/asuswrt-merlin project rt-ac1900p
version/asuswrt-merlin project rt-ac1900p/380.70
canonical/asuswrt-merlin project rt-ac1900p firmware
canonical/asuswrt-merlin rt-ac68u firmware
version/asuswrt-merlin rt-ac68u firmware/380.70
canonical/asuswrt-merlin
version/asuswrt-merlin/380.70
canonical/asuswrt-merlin project rt-ac68p firmware
canonical/asuswrt-merlin rt-ac88u
canonical/asuswrt-merlin project
canonical/asuswrt-merlin project rt-ac56u firmware
canonical/asuswrt-merlin firmware
version/asuswrt-merlin firmware/380.70
canonical/asuswrt-merlin project rt-ac87 firmware
canonical/asuswrt-merlin rt-ac3100 firmware
version/asuswrt-merlin rt-ac3100 firmware/380.70
canonical/asuswrt-merlin for rt-ac1900
version/asuswrt-merlin project/380.70
canonical/asuswrt-merlin project rt-ac2900
version/asuswrt-merlin project rt-ac2900/380.70