Vulnerability Description
The TP-LINK EAP Controller is TP-LINK's software for remotely controlling wireless access point devices. It utilizes a Java remote method invocation (RMI) service for remote control. The RMI interface does not require any authentication before use, so it lacks user authentication for RMI service commands in EAP controller versions 2.5.3 and earlier. Remote attackers can implement deserialization attacks through the RMI protocol. Successful attacks may allow a remote attacker to remotely control the target server and execute Java functions or bytecode.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Tp-Link | Eap Controller | <= 2.5.3 |
Related Weaknesses (CWE)
References
- http://www.securityfocus.com/bid/105402Third Party AdvisoryVDB Entry
- https://www.kb.cert.org/vuls/id/581311Third Party AdvisoryUS Government Resource
- http://www.securityfocus.com/bid/105402Third Party AdvisoryVDB Entry
- https://www.kb.cert.org/vuls/id/581311Third Party AdvisoryUS Government Resource
FAQ
What is CVE-2018-5393?
CVE-2018-5393 is a vulnerability with a CVSS score of 9.8 (CRITICAL). The TP-LINK EAP Controller is TP-LINK's software for remotely controlling wireless access point devices. It utilizes a Java remote method invocation (RMI) service for remote control. The RMI interface...
How severe is CVE-2018-5393?
CVE-2018-5393 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2018-5393?
Check the references section above for vendor advisories and patch information. Affected products include: Tp-Link Eap Controller.