CVE-2018-5393

CVE-2018-5393: TP-Link EAP Controller versions 2.5.3 and earlier lack RMI authentication

Vendor Tp-Link
Product EAP Controller
Weakness CWE-306 · Missing auth
Published September 28, 2018
Last update August 5, 2024

CVSS base score

What the vulnerability does

01Description

The TP-LINK EAP Controller is TP-LINK's software for remotely controlling wireless access point devices. It utilizes a Java remote method invocation (RMI) service for remote control. The RMI interface does not require any authentication before use, so it lacks user authentication for RMI service commands in EAP controller versions 2.5.3 and earlier. Remote attackers can implement deserialization attacks through the RMI protocol. Successful attacks may allow a remote attacker to remotely control the target server and execute Java functions or bytecode.

Key dates

02Disclosure timeline

September 28, 2018 CVE published
August 5, 2024 Record updated