Vulnerability ID: ZSL-2019-5508 Type: Remote/Local Impact: System Access, DoS Risk: (4/5) Release Date: 03.02.2019 Vulnerable Product: devolo dLAN 550 duo+ Starter Kit Affected Version: dLAN 500 AV Wireless+ 3.1.0-1 (i386) Tested On: Linux 2.6.31 Summary: The devolo dLAN 550 duo+ Starter Kit, a Powerline adapter, has a vulnerability allowing authenticated attackers to enable 'hidden' services via the htmlmigr CGI script, leading to remote arbitrary code execution with root privileges. Vendor: devolo AG - https://www.devolo.com Vendor Status: - [04.10.2017] Vulnerability discovered. - [11.10.2017] Vendor contacted via email. - [14.10.2017] No response from the vendor. - [15.10.2017] Second attempt - Vendor contacted via email. - [02.02.2019] No response from the vendor. - [03.02.2019] Public security advisory released. PoC: devolo_rce.txt Credits: Vulnerability discovered by Stefan Petrushevski - References: 1. https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5507.php 2. https://www.exploit-db.com/exploits/46325 3. https://packetstormsecurity.com/files/151527 4. https://cxsecurity.com/issue/WLB-2019020038 5. https://exchange.xforce.ibmcloud.com/vulnerabilities/156596