Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2023-36498

A post-authentication command injection vulnerability exists in the PPTP client functionality of Tp-Link ER7206 Omada Gigabit VPN Router 1.3.0 build 20230322 Rel.70591. A specially crafted HTTP request can lead to arbitrary command injection. An attacker can make an authenticated HTTP request to trigger this vulnerability and gain access to an unrestricted shell.

Published

2024-02-06T17:15:08.527

Last Modified

2025-11-04T19:15:46.107

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 7.2 (HIGH)

Weaknesses

Type: Secondary
CWE-78

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Operating System	tp-link	er7206_firmware	1.3.0	Yes
Hardware	tp-link	er7206	-	No

References

https://talosintelligence.com/vulnerability_reports/TALOS-2023-1853 Exploit, Technical Description, Third Party Advisory ([email protected])
https://talosintelligence.com/vulnerability_reports/TALOS-2023-1853 Exploit, Technical Description, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.talosintelligence.com/vulnerability_reports/TALOS-2023-1853 (af854a3a-2127-422b-91ae-364da2661108)