CVE-2019-18396
HIGH EPSS 96.5%
Published Oct 31, 20196y ago · Modified Jun 17, 20262w ago
7.2 CVSS 3.1
Published Oct 31, 2019 6y ago
Last Modified Jun 17, 2026 2w ago
Description
An issue was discovered in certain Oi third-party firmware that may be installed on Technicolor TD5130v2 devices. A Command Injection in the Ping module in the Web Interface in OI_Fw_V20 allows remote attackers to execute arbitrary OS commands in the pingAddr parameter to mnt_ping.cgi. NOTE: This may overlap CVE-2017–14127.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Attack Vector Network
Attack Complexity Low
Privileges Required High
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High
Threat Intelligence
EPSS Exploit Probability
96.5% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available
Weaknesses 1
CWE-78 OS Command Injection Injection
Affected Products 2
| Vendor | Product | Version | Range |
|---|---|---|---|
| technicolor | td5130v2_firmware | oi_fw_v20 | any |
| technicolor | td5130v2 | * | any |
References 3
- packetstormsecurity.com http://packetstormsecurity.com/files/155296/Technicolor-TD5130.2-Remote-Command-Execution.html
- medium.com https://medium.com/%40c4pt41nnn/cve-2019-18396-command-injection-in-technicolor-router-da5dd2134052
- twitter.com https://www.twitter.com/c4pt41nnn
Remediation
No remediation data recorded yet
Check vendor advisories and the NVD entry for patch availability.