CVE-2017-8116

critical

Description

The management interface for the Teltonika RUT9XX routers (aka LuCI) with firmware 00.03.265 and earlier allows remote attackers to execute arbitrary commands with root privileges via shell metacharacters in the username parameter in a login request.

References

https://labs.nettitude.com/blog/cve-2017-8116-teltonika-router-unauthenticated-remote-code-execution/

https://github.com/nettitude/metasploit-modules/blob/master/teltonika_cmd_exec.rb

https://github.com/nettitude/metasploit-modules/blob/master/teltonika_add_user.rb

Details

Source: Mitre, NVD

Published: 2017-07-03

Updated: 2025-04-20

Risk Information

CVSS v2

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Severity: Critical

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical

EPSS

EPSS: 0.07455