CVE-2018-5997
📋 TL;DR
CVE-2018-5997 is a critical vulnerability in RAVPower Filehub's HTTP server that combines unrestricted file upload with path traversal, allowing attackers to upload malicious files anywhere on the filesystem. This leads to remote code execution with root privileges. Only RAVPower Filehub devices running vulnerable firmware are affected.
💻 Affected Systems
- RAVPower Filehub
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the device with root-level remote code execution, allowing attackers to install persistent backdoors, steal data, or use the device as a pivot point into internal networks.
Likely Case
Remote attackers gain full control of the Filehub device, potentially accessing connected storage devices, modifying files, or using the device for malicious purposes.
If Mitigated
No impact if device is not internet-facing and proper network segmentation is in place.
🎯 Exploit Status
Public exploit code is available on Exploit-DB (43871), making this easily weaponizable by attackers with minimal technical skill.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: No known vendor advisory
Restart Required: No
Instructions:
No official patch available. Consider the device end-of-life and replace with supported hardware.
🔧 Temporary Workarounds
Network Isolation
allCompletely isolate the RAVPower Filehub from any network access
Use firewall rules to block all inbound/outbound traffic to the device
Place device on isolated VLAN with no internet access
Disable HTTP Server
allTurn off the vulnerable HTTP server if possible
Check device settings for option to disable web interface
If available, disable HTTP/HTTPS services
🧯 If You Can't Patch
- Immediately disconnect device from any network until replacement can be arranged
- If device must remain in use, place behind strict firewall rules allowing only essential traffic from trusted IPs
🔍 How to Verify
Check if Vulnerable:
Check device firmware version via web interface or device settings. If version is 2.000.056 or earlier, assume vulnerable.Check Version:
Access device web interface at http://[device-ip]/ and check firmware version in settingsVerify Fix Applied:
No official fix exists to verify. The only verification is device replacement.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads to HTTP server
- Unexpected file creation in system directories
- HTTP requests with path traversal patterns (../)
Network Indicators:
- HTTP POST requests to upload endpoints with malicious payloads
- Outbound connections from device to unknown IPs
SIEM Query:
source="device-logs" AND (http_method="POST" AND uri CONTAINS "upload" OR uri CONTAINS "../")