CVE-2017-20221 - Vulnerability Details

- Telesquare SKT LTE Router SDT-CS3B1 CSRF System Command Execution

Description

Telesquare SKT LTE Router SDT-CS3B1 version 1.2.0 contains a cross-site request forgery vulnerability that allows authenticated attackers to execute arbitrary system commands by exploiting missing request validation. Attackers can craft malicious web pages that perform administrative actions when visited by logged-in users, enabling command execution with router privileges.

Published: 2026-03-16

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A cross‑site request forgery flaw in the Telesquare SKT LTE Router SDT‑CS3B1 exposes authenticated users to arbitrary system command execution. The absence of request validation allows a malicious website to trigger administrative actions on the router, giving the attacker full control of the device. The vulnerability is classified as CWE‑352 and can lead to complete compromise of the router’s operating system, enabling data exfiltration, service disruption, or further lateral movement into the network.

Affected Systems

The flaw exists in the Telesquare SDT‑CS3B1 router, particularly firmware versions 1.1.0 and 1.2.0. Users of these routers running the affected firmware are vulnerable if they have administrative access to the web interface.

Risk and Exploitability

The CVSS score of 5.3 indicates a medium severity vulnerability. With an EPSS score of less than 1% the probability of active exploitation is low, and the flaw is not listed in the CISA KEV catalog. The attack requires an authenticated user who visits a crafted malicious page; therefore exploitation relies on social‑engineering or phishing of a legitimate user rather than remote autonomous code execution.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Telesquare

SDT-CS3B1

affected

Version	Status	Constraints
`1.2.0`	affected	—

No data.

Vendor Product Confidence Versions

Telesquare

Sdt-cs3b1

100%

Version	Status	Scheme	Platform
`1.2.0`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Obtain and install the latest firmware update from Telesquare that addresses the CSRF vulnerability
If a patch is not immediately available, disable the router’s web management interface from external networks or restrict access to trusted IP addresses
Ensure that all users delete temporary login cookies after use and avoid visiting untrusted sites while logged into the router’s admin console
Monitor router logs for abnormal command execution activity and investigate any unexpected changes

Generated by OpenCVE AI on March 22, 2026 at 14:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact Low

Subsequent System Integrity Impact Low

Subsequent System Availability Impact Low

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0002.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://cxsecurity.com/issue/WLB-2017120299
https://exchange.xforce.ibmcloud.com/vulnerabilities/136839
https://packetstormsecurity.com/files/145550
https://www.exploit-db.com/exploits/43400/
https://www.vulncheck.com/advisories/telesquare-skt-lte-router-sdt-cs3b1-csrf-system-command-execution
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5443.php

History

Mon, 16 Mar 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 16 Mar 2026 01:45:00 +0000

Type	Values Removed	Values Added
Description		Telesquare SKT LTE Router SDT-CS3B1 version 1.2.0 contains a cross-site request forgery vulnerability that allows authenticated attackers to execute arbitrary system commands by exploiting missing request validation. Attackers can craft malicious web pages that perform administrative actions when visited by logged-in users, enabling command execution with router privileges.
Title		Telesquare SKT LTE Router SDT-CS3B1 CSRF System Command Execution
First Time appeared		Telesquare Telesquare sdt-cs3b1 Telesquare sdt-cs3b1 Firmware
Weaknesses		CWE-352
CPEs		cpe:2.3:h:telesquare:sdt-cs3b1:-:::::::* cpe:2.3:o:telesquare:sdt-cs3b1_firmware:1.1.0:::::::* cpe:2.3:o:telesquare:sdt-cs3b1_firmware:1.2.0:::::::*
Vendors & Products		Telesquare Telesquare sdt-cs3b1 Telesquare sdt-cs3b1 Firmware
References		https://cxsecurity.com/issue/WLB-2017120299 https://exchange.xforce.ibmcloud.com/vulnerabilities/136839 https://packetstormsecurity.com/files/145550 https://www.exploit-db.com/exploits/43400/ https://www.vulncheck.com/advisories/telesquare-skt-lte-router-sdt-cs3b1-csrf-system-command-execution https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5443.php
Metrics		cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}` cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L'}`

Subscriptions

Telesquare Sdt-cs3b1 Sdt-cs3b1 Firmware

MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published: 2026-03-16T01:28:24.978Z

Updated: 2026-04-07T14:03:41.428Z

Reserved: 2026-03-15T21:54:37.665Z

Link: CVE-2017-20221

Vulnrichment

Updated: 2026-03-16T14:17:05.830Z

NVD

Status : Awaiting Analysis

Published: 2026-03-16T14:17:51.913

Modified: 2026-03-16T14:53:46.157

Link: CVE-2017-20221

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-23T14:00:47Z

Weaknesses

CWE-352

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact Low

Subsequent System Integrity Impact Low

Subsequent System Availability Impact Low

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object