CVE-2017-8116 – CVE-2017-8116 is an unauthenticated remote code... (How to Fix)

Q: What is the severity of CVE-2017-8116?

CVE-2017-8116 has a CVSS score of 9.8 (CRITICAL). CVE-2017-8116 is an unauthenticated remote code execution vulnerability in Teltonika RUT9XX routers' management interface (LuCI). Attackers can execute arbitrary commands with root privileges by injecting shell metacharacters into the username parameter during login. This affects routers with firmware 00.03.265 and earlier.

📋 TL;DR

CVE-2017-8116 is an unauthenticated remote code execution vulnerability in Teltonika RUT9XX routers' management interface (LuCI). Attackers can execute arbitrary commands with root privileges by injecting shell metacharacters into the username parameter during login. This affects routers with firmware 00.03.265 and earlier.

💻 Affected Systems

Products:

Teltonika RUT9XX series routers

Versions: Firmware 00.03.265 and earlier

Operating Systems: Embedded Linux (OpenWrt-based)

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the LuCI web management interface. All default configurations are vulnerable.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the router, allowing attackers to intercept all network traffic, pivot to internal networks, install persistent backdoors, or brick the device.

🟠

Likely Case

Attackers gain full control of the router, enabling traffic monitoring, credential theft, and use as a foothold for further attacks on connected networks.

🟢

If Mitigated

If the router is not internet-facing and has strict network segmentation, impact is limited to potential lateral movement within the isolated network segment.

🌐 Internet-Facing: HIGH - Directly exploitable from the internet without authentication, allowing immediate compromise.

🏢 Internal Only: MEDIUM - Still exploitable by internal attackers or malware, but requires network access.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Metasploit modules exist for both command execution and user addition. Exploitation requires only a single HTTP request.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firmware versions after 00.03.265

Vendor Advisory: https://wiki.teltonika-networks.com/view/RUT9XX_Firmware_Downloads

Restart Required: Yes

Instructions:

1. Download latest firmware from Teltonika website. 2. Log into router web interface. 3. Navigate to System > Backup/Flash Firmware. 4. Upload new firmware file. 5. Wait for upgrade to complete and router to reboot.

🔧 Temporary Workarounds

Disable web management interface

linux

Completely disable the vulnerable LuCI web interface if not needed

uci set uhttpd.main.listen_http=''
uci set uhttpd.main.listen_https=''
uci commit uhttpd
/etc/init.d/uhttpd restart

Restrict management interface access

linux

Limit access to management interface to specific IP addresses using firewall rules

iptables -A INPUT -p tcp --dport 80 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

🧯 If You Can't Patch

Isolate router on dedicated VLAN with strict firewall rules preventing external access
Implement network monitoring for unusual HTTP requests to router management interface

🔍 How to Verify

Check if Vulnerable:

Check firmware version via web interface at System > Overview or via SSH: cat /etc/os-release

Check Version:

cat /etc/os-release | grep VERSION

Verify Fix Applied:

Confirm firmware version is newer than 00.03.265 and test with Metasploit modules to ensure exploitation fails

📡 Detection & Monitoring

Log Indicators:

HTTP requests to login endpoint with shell metacharacters in username parameter
Unusual process execution from web server context

Network Indicators:

HTTP POST requests to /cgi-bin/luci with shell metacharacters in payload
Unexpected outbound connections from router

SIEM Query:

source="router_logs" AND (url="/cgi-bin/luci" AND (username="*;*" OR username="*|*" OR username="*`*"))

📊 Metadata

CVE ID: CVE-2017-8116

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: July 3, 2017

Last Updated: April 20, 2025

🔗 References

https://github.com/nettitude/metasploit-modules/blob/master/teltonika_add_user.rb Exploit,Third Party Advisory
https://github.com/nettitude/metasploit-modules/blob/master/teltonika_cmd_exec.rb Exploit,Third Party Advisory
https://labs.nettitude.com/blog/cve-2017-8116-teltonika-router-unauthenticated-remote-code-execution/ Third Party Advisory
https://github.com/nettitude/metasploit-modules/blob/master/teltonika_add_user.rb Exploit,Third Party Advisory
https://github.com/nettitude/metasploit-modules/blob/master/teltonika_cmd_exec.rb Exploit,Third Party Advisory
https://labs.nettitude.com/blog/cve-2017-8116-teltonika-router-unauthenticated-remote-code-execution/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2017-8116, you might also want to check these: