Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2018-5393

The TP-LINK EAP Controller is TP-LINK's software for remotely controlling wireless access point devices. It utilizes a Java remote method invocation (RMI) service for remote control. The RMI interface does not require any authentication before use, so it lacks user authentication for RMI service commands in EAP controller versions 2.5.3 and earlier. Remote attackers can implement deserialization attacks through the RMI protocol. Successful attacks may allow a remote attacker to remotely control the target server and execute Java functions or bytecode.

Published

2018-09-28T17:29:00.483

Last Modified

2024-11-21T04:08:44.320

Status

Modified

Source

[email protected]

Severity

CVSSv3.0: 9.8 (CRITICAL)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: COMPLETE
Integrity Impact: COMPLETE
Availability Impact: COMPLETE

Exploitability Score

10.0

Impact Score

10.0

Weaknesses

Type: Secondary
CWE-306
Type: Primary
CWE-306

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	tp-link	eap_controller	≤ 2.5.3	Yes

References

http://www.securityfocus.com/bid/105402 Third Party Advisory, VDB Entry ([email protected])
https://www.kb.cert.org/vuls/id/581311 Third Party Advisory, US Government Resource ([email protected])
http://www.securityfocus.com/bid/105402 Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
https://www.kb.cert.org/vuls/id/581311 Third Party Advisory, US Government Resource (af854a3a-2127-422b-91ae-364da2661108)