Back to KEVs

CVE-2018-17532

Teltonika RUT9XX routers with firmware before 00.04.233 are prone to multiple unauthenticated OS command injection vulnerabilities in autologin.cgi...

Basic Information

CVE State: PUBLISHED
Reserved Date: September 25, 2018
Published Date: October 15, 2018
Last Updated: August 05, 2024
Vendor: n/a
Product: n/a
Description: Teltonika RUT9XX routers with firmware before 00.04.233 are prone to multiple unauthenticated OS command injection vulnerabilities in autologin.cgi and hotspotlogin.cgi due to insufficient user input sanitization. This allows remote attackers to execute arbitrary commands with root privileges.

CVSS Scores

CVSS v3.0

9.8 - CRITICAL

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2.0

10.0

Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

Exploit Status

Exploited in the Wild: Yes (2025-10-31 00:00:00 UTC) Source

References

http://seclists.org/fulldisclosure/2018/Oct/27 http://packetstormsecurity.com/files/149777/Teltonika-RUT9XX-Unauthenticated-OS-Command-Injection.html https://github.com/sbaresearch/advisories/tree/public/2018/SBA-ADV-20180319-01_Teltonika_OS_Command_Injection

Known Exploited Vulnerability Information

Source	Added Date
The Shadowserver (via CIRCL)	2025-10-31 00:00:00 UTC

Timeline

CVE ID Reserved

September 25, 2018
CVE Published to Public

October 15, 2018
Added to KEVIntel

October 31, 2025