CVE-2020-16148 - Telmat - Authenticated root RCE

Sep 20, 2020   
authenticated cve remote-code-execution 
Also available in:  🇫🇷 


An authenticated code injection on the "Administration avancée" (Advanced administration) page of Telmat AccessLog, Gît@Box and Educ@Box with software version <= 6.0 (TAL_20180415) allows Remote Code Execution (RCE) as root.

Affected products

Manufacturer Model Software version
TelMat AccessLog <= 6.0 (TAL_20180415)
TelMat Educ@Box <= 6.0 (TAL_20180415)
TelMat Gît@Box <= 6.0 (TAL_20180415)


This vulnerability was tested on a Telmat AccessLog 6.0 (TAL_20180415):

An attacker needs to have an account on the device with access to the administration interface. Then, the attacker goes on the "Administration avancée" (Advanced administration) of the administration panel, to use test tools :


This page allows an administrator to use ping, traceroute and other tools to debug the network configurations. However, the command input is not filtered and is directly executed by a shell. Therefore, we can simply inject commands directly into the system shell :

Command : ping
Payload : -c0; id

Full POC URL : https://${TELMAT_IP}:${PORT}/services/cmd.php?lang=fr&CMD=ping&host=

We have there a Remote Code Execution (RCE), and furthermore we are directly root on the system :

Proof of Concept - Authenticated RCE


In order to patch this vulnerability you need to update your firmware to the latest version.