Login Sign Up

CVE-2018-11241

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability allows remote attackers to read and write arbitrary files as root on SoftCase T-Router devices, leading to potential remote code execution. It affects T-Router builds before Spring 2018. Attackers can exploit this to gain complete control of affected devices.

💻 Affected Systems

Products:
  • SoftCase T-Router
Versions: Builds before Spring 2018 (specifically build 20112017 confirmed vulnerable)
Operating Systems: Embedded/Linux-based router OS
Default Config Vulnerable: ⚠️ Yes
Notes: All default configurations of affected builds are vulnerable. The vulnerability is in the device firmware itself.

📦 What is this software?

T Router Firmware by Softcase

View all CVEs affecting T Router Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with root-level remote code execution, allowing attackers to install persistent backdoors, steal sensitive data, or use the device as a pivot point in the network.

🟠

Likely Case

Remote code execution leading to device takeover, data theft, and potential lateral movement within the network.

🟢

If Mitigated

Limited impact if devices are isolated in secure network segments with strict access controls and monitoring.

🌐 Internet-Facing: HIGH - Remote exploitation without authentication makes internet-facing devices extremely vulnerable.
🏢 Internal Only: HIGH - Even internally, this provides root-level access to critical network infrastructure.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The exploit involves writing to crontab files to achieve code execution. Public proof-of-concept demonstrates the attack chain.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Production builds from Spring 2018 onward

Vendor Advisory: Unknown - No official vendor advisory found in references

Restart Required: Yes

Instructions:

1. Contact SoftCase for updated firmware. 2. Backup device configuration. 3. Install Spring 2018 or later production build. 4. Restart device. 5. Verify fix is applied.

🔧 Temporary Workarounds

Network Isolation

all

Isolate T-Router devices in separate VLANs with strict firewall rules limiting access to management interfaces.

Access Control Lists

all

Implement network ACLs to restrict access to T-Router management interfaces to trusted IP addresses only.

🧯 If You Can't Patch

  • Immediately isolate affected devices from internet and critical network segments
  • Implement strict network monitoring and alerting for any access attempts to T-Router management interfaces

🔍 How to Verify

Check if Vulnerable:

Check device build version via web interface or SSH. If build date is before Spring 2018 (specifically build 20112017), device is vulnerable.

Check Version:

Check via device web interface or SSH to device (specific command depends on device configuration)

Verify Fix Applied:

Verify device is running Spring 2018 or later production build. Test that arbitrary file write attempts are blocked.

📡 Detection & Monitoring

Log Indicators:

  • Unusual file write operations to system directories
  • Crontab modifications from unexpected sources
  • Root-level access attempts to device

Network Indicators:

  • Unexpected connections to T-Router management ports
  • Traffic patterns suggesting file transfer to/from device

SIEM Query:

source="t-router" AND (event="file_write" OR event="crontab_modify")

📊 Metadata

CVE ID: CVE-2018-11241
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: September 21, 2018
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON